fedora 24
misc weakness #443

4

Weakness Breakdown


Definition:

The software specifies permissions for a security-critical resource in a way that allows the resource to be read or modified by unintended actors.

Warning code(s):

This function is obsolete and not portable. It was in SUSv2 but removed by POSIX.2. What it does exactly varies considerably between systems, particularly in where its prompt is displayed and where it gets its data.

File Name:

glom-1.30.4/glom/glom_test_connection.cc

Context:

The highlighted line of code below is the trigger point of this particular Fedora 24 misc weakness.

   {
    std::cerr << G_STRFUNC << ": Please provide a database hostname." << std::endl;
    print_options_hint();
    return EXIT_FAILURE;
  }

  if(group.m_arg_server_username.empty())
  {
    std::cerr << _("Please provide a database username.") << std::endl;
    print_options_hint();
    return EXIT_FAILURE;
  }

  //Get the password from stdin.
  //This is not a command-line option because then it would appear in logs.
  //Other command-line utilities such as psql don't do this either.
  //TODO: Support alternatives such as using a file.
  const auto prompt = Glib::ustring::compose(
    _("Please enter the PostgreSQL server's password for the user %1: "), group.m_arg_server_username);

#ifdef G_OS_WIN32
  const char* password = "";
  std::cerr << G_STRFUNC << ": Error: getpass() is not implemented in the Windows build. The connection will fail." << std::endl;
#else
  const auto password = ::getpass(prompt.c_str());
#endif

  //Setup the connection, assuming that we are testing central hosting:
  auto connection_pool = Glom::ConnectionPool::get_instance();

  //Specify the backend and backend-specific details to be used by the connectionpool.
  //This is usually done by ConnectionPool::setup_from_document():
  Glom::ConnectionPoolBackends::Backend* backend = nullptr;
#ifdef GLOM_ENABLE_MYSQL
  if(group.m_arg_use_mysql)
  {
    //TODO: Move some of the *CentralHosted API into a multiply-inherited Server base class,
    //to avoid the duplication?
    auto derived_backend = new Glom::ConnectionPoolBackends::MySQLCentralHosted;

    //Use a specified port, or try all suitable ports:
    if(group.m_arg_server_port)
    {
      derived_backend->set_port(group.m_arg_server_port);
      derived_backend->set_try_other_ports(false);
    }
    else
    {
      derived_backend->set_try_other_ports(true);
    } 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.