[Libreoffice-commits] online.git: common/SigUtil.cpp wsd/Auth.cpp

[Miklos Vajna (via logerrit)]

 common/SigUtil.cpp |    4 +++-
 wsd/Auth.cpp       |   12 +++++++++---
 2 files changed, 12 insertions(+), 4 deletions(-)

New commits:
commit 42c8417e348c4aede738aace02a1870138478fc6
Author:     Miklos Vajna <vmiklos at collabora.com>
AuthorDate: Mon Apr 6 09:29:51 2020 +0200
Commit:     Miklos Vajna <vmiklos at collabora.com>
CommitDate: Mon Apr 6 12:03:39 2020 +0200

    admin fuzzer: improve this further, so it can find interesting paths faster
    
    1) Don't actually kill anything with the kill command, otherwise kill(0,
    SIGKILL) will kill the fuzzer itself.
    
    2) Don't require a valid signature when authenticating with JWT, since
    the private key is generated on each process startup.
    
    3) Log when the JWT would be invalid due to an expired timestamp.
    
    Change-Id: I0da285617e27910329c0e7ed80a6d02e86344ccf
    Reviewed-on: https://gerrit.libreoffice.org/c/online/+/91737
    Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice at gmail.com>
    Reviewed-by: Miklos Vajna <vmiklos at collabora.com>

diff --git a/common/SigUtil.cpp b/common/SigUtil.cpp
index 881326df5..944a8d376 100644
--- a/common/SigUtil.cpp
+++ b/common/SigUtil.cpp
@@ -359,7 +359,9 @@ namespace SigUtil
     bool killChild(const int pid)
     {
         LOG_DBG("Killing PID: " << pid);
-        if (kill(pid, SIGKILL) == 0 || errno == ESRCH)
+        // Don't kill anything in the fuzzer case: pid == 0 would kill the fuzzer itself, and
+        // killing random other processes is not a great idea, either.
+        if (Util::isFuzzing() || kill(pid, SIGKILL) == 0 || errno == ESRCH)
         {
             // Killed or doesn't exist.
             return true;
diff --git a/wsd/Auth.cpp b/wsd/Auth.cpp
index 8c53c367c..021257235 100644
--- a/wsd/Auth.cpp
+++ b/wsd/Auth.cpp
@@ -134,7 +134,10 @@ bool JWTAuth::verify(const std::string& accessToken)
         if (encodedSig != tokens[2])
         {
             LOG_INF("JWTAuth: verification failed; Expected: " << encodedSig << ", Received: " << tokens[2]);
-            return false;
+            if (!Util::isFuzzing())
+            {
+                return false;
+            }
         }
 
         std::istringstream istr(tokens[1]);
@@ -153,10 +156,13 @@ bool JWTAuth::verify(const std::string& accessToken)
 
         std::chrono::system_clock::time_point now = std::chrono::system_clock::now();
         std::time_t curtime = std::chrono::system_clock::to_time_t(now);
-        if (!Util::isFuzzing() && curtime > decodedExptime)
+        if (curtime > decodedExptime)
         {
             LOG_INF("JWTAuth:verify: JWT expired; curtime:" << curtime << ", exp:" << decodedExptime);
-            return false;
+            if (!Util::isFuzzing())
+            {
+                return false;
+            }
         }
     }
     catch(Poco::Exception& exc)