Don't send passwords after shim delimiter is found (#33170)

The SSH_PASSWORD_PROMPT_RE regexp used to detect if SSH is requesting a password can be triggered if the shim is returning data to the server with text that matches the regex, including inside JSON results. This then results in the server unable to parse the JSON results. This patch fixes this issue by looking for the shim delimiter in the output and disabling the sending of passwords after the delimiter is found. Fixes #29422.
2024-11-08 17:33:54 +00:00 · 2016-05-13 22:36:38 +01:00 · 2016-05-13 22:36:38 +01:00 · 30ca6443a9
commit 30ca6443a9
parent 5c2870c24f
1 changed files with 9 additions and 1 deletions
--- a/salt/client/ssh/shell.py
+++ b/salt/client/ssh/shell.py
@ -23,6 +23,10 @@ log = logging.getLogger(__name__)
 SSH_PASSWORD_PROMPT_RE = re.compile(r'(?:.*)[Pp]assword(?: for .*)?:', re.M)
 KEY_VALID_RE = re.compile(r'.*\(yes\/no\).*')

+# Keep these in sync with ./__init__.py
+RSTR = '_edbc7885e4f9aac9b83b35999b68d015148caf467b78fa39c05f669c0ff89878'
+RSTR_RE = re.compile(r'(?:^|\r?\n)' + RSTR + r'(?:\r?\n|$)')
+

 class NoPasswdError(Exception):
    pass
@ -339,6 +343,7 @@ class Shell(object):
                stream_stdout=False,
                stream_stderr=False)
        sent_passwd = 0
+        send_password = True
        ret_stdout = ''
        ret_stderr = ''
        old_stdout = ''
@ -353,7 +358,10 @@ class Shell(object):
                    buff = stdout
                if stderr:
                    ret_stderr += stderr
-                if buff and SSH_PASSWORD_PROMPT_RE.search(buff):
+                if buff and RSTR_RE.search(buff):
+                    # We're getting results back, don't try to send passwords
+                    send_password = False
+                if buff and SSH_PASSWORD_PROMPT_RE.search(buff) and send_password:
                    if not self.passwd:
                        return '', 'Permission denied, no authentication information', 254
                    if sent_passwd < passwd_retries: