From c082221aefbb2a472c7193dbdbb90900256ce1a2 Mon Sep 17 00:00:00 2001 From: "dejun.xdj" Date: Wed, 16 May 2018 16:15:12 +0800 Subject: [PATCH 1/7] Add warning message when using password on command line --- src/redis-cli.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/redis-cli.c b/src/redis-cli.c index d80973e75..712c5b92a 100644 --- a/src/redis-cli.c +++ b/src/redis-cli.c @@ -1088,6 +1088,7 @@ static int parseOptions(int argc, char **argv) { } else if (!strcmp(argv[i],"-n") && !lastarg) { config.dbnum = atoi(argv[++i]); } else if (!strcmp(argv[i],"-a") && !lastarg) { + fputs("Warning: Using a password on the command line interface can be insecure.\n", stderr); config.auth = argv[++i]; } else if (!strcmp(argv[i],"-u") && !lastarg) { parseRedisUri(argv[++i]); From b263c7c465f83071d90991a036f6c9772890604b Mon Sep 17 00:00:00 2001 From: "dejun.xdj" Date: Wed, 16 May 2018 16:18:00 +0800 Subject: [PATCH 2/7] Stop saving auth command in redis-cli history. --- src/redis-cli.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/redis-cli.c b/src/redis-cli.c index 712c5b92a..866125ec6 100644 --- a/src/redis-cli.c +++ b/src/redis-cli.c @@ -1399,8 +1399,10 @@ static void repl(void) { while((line = linenoise(context ? config.prompt : "not connected> ")) != NULL) { if (line[0] != '\0') { argv = cliSplitArgs(line,&argc); - if (history) linenoiseHistoryAdd(line); - if (historyfile) linenoiseHistorySave(historyfile); + if (strcasecmp(argv[0], "auth")) { + if (history) linenoiseHistoryAdd(line); + if (historyfile) linenoiseHistorySave(historyfile); + } if (argv == NULL) { printf("Invalid argument(s)\n"); From ef931ef93e909b4f504e8c6fbed350ed70c1c67c Mon Sep 17 00:00:00 2001 From: "dejun.xdj" Date: Fri, 18 May 2018 11:37:31 +0800 Subject: [PATCH 3/7] Change the warning message a little bit to avoid trademark issuses. --- src/redis-cli.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/redis-cli.c b/src/redis-cli.c index 866125ec6..13cfe8a02 100644 --- a/src/redis-cli.c +++ b/src/redis-cli.c @@ -1088,7 +1088,7 @@ static int parseOptions(int argc, char **argv) { } else if (!strcmp(argv[i],"-n") && !lastarg) { config.dbnum = atoi(argv[++i]); } else if (!strcmp(argv[i],"-a") && !lastarg) { - fputs("Warning: Using a password on the command line interface can be insecure.\n", stderr); + fputs("Warning: Using a password with '-a' option on the command line interface may not be safe.\n", stderr); config.auth = argv[++i]; } else if (!strcmp(argv[i],"-u") && !lastarg) { parseRedisUri(argv[++i]); From c2e2314640159078416400b9c9b155879c6a1386 Mon Sep 17 00:00:00 2001 From: "dejun.xdj" Date: Fri, 18 May 2018 11:40:05 +0800 Subject: [PATCH 4/7] Detect and stop saving history for auth command with repeat option. Put the repeat option checking code a little forward to avoid repeat logic. --- src/redis-cli.c | 27 +++++++++++++++++---------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/src/redis-cli.c b/src/redis-cli.c index 13cfe8a02..17b02641f 100644 --- a/src/redis-cli.c +++ b/src/redis-cli.c @@ -1398,8 +1398,24 @@ static void repl(void) { cliRefreshPrompt(); while((line = linenoise(context ? config.prompt : "not connected> ")) != NULL) { if (line[0] != '\0') { + int repeat = 1, skipargs = 0; + char *endptr; + argv = cliSplitArgs(line,&argc); - if (strcasecmp(argv[0], "auth")) { + + /* check if we have a repeat command option and + * need to skip the first arg */ + if (argv && argc > 0) { + repeat = strtol(argv[0], &endptr, 10); + if (argc > 1 && *endptr == '\0' && repeat) { + skipargs = 1; + } else { + repeat = 1; + } + } + + /* Won't save auth command in history file */ + if (!(argv && argc > 0 && !strcasecmp(argv[0+skipargs], "auth"))) { if (history) linenoiseHistoryAdd(line); if (historyfile) linenoiseHistorySave(historyfile); } @@ -1434,15 +1450,6 @@ static void repl(void) { linenoiseClearScreen(); } else { long long start_time = mstime(), elapsed; - int repeat, skipargs = 0; - char *endptr; - - repeat = strtol(argv[0], &endptr, 10); - if (argc > 1 && *endptr == '\0' && repeat) { - skipargs = 1; - } else { - repeat = 1; - } issueCommandRepeat(argc-skipargs, argv+skipargs, repeat); From b2762f1ff2db7d8fb84a90aa701098334db52ce0 Mon Sep 17 00:00:00 2001 From: "dejun.xdj" Date: Sat, 19 May 2018 22:50:40 +0800 Subject: [PATCH 5/7] Fix negtive repeat command value issue. If command like "-1 set a b" is sent with redis-cli, it will cause a deadless loop. So some repeat value checking logic is added to avoid this. --- src/redis-cli.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/src/redis-cli.c b/src/redis-cli.c index 17b02641f..54b0d8f88 100644 --- a/src/redis-cli.c +++ b/src/redis-cli.c @@ -1398,16 +1398,24 @@ static void repl(void) { cliRefreshPrompt(); while((line = linenoise(context ? config.prompt : "not connected> ")) != NULL) { if (line[0] != '\0') { - int repeat = 1, skipargs = 0; - char *endptr; + long repeat = 1; + int skipargs = 0; + char *endptr = NULL; argv = cliSplitArgs(line,&argc); /* check if we have a repeat command option and * need to skip the first arg */ if (argv && argc > 0) { + errno = 0; repeat = strtol(argv[0], &endptr, 10); - if (argc > 1 && *endptr == '\0' && repeat) { + if (argc > 1 && *endptr == '\0') { + if (errno == ERANGE || errno == EINVAL || repeat <= 0) { + fputs("Invalid redis-cli repeat command option value.\n", stdout); + sdsfreesplitres(argv, argc); + linenoiseFree(line); + continue; + } skipargs = 1; } else { repeat = 1; From cc7ffdfdf204fc7ab815ee602769de7f9323c353 Mon Sep 17 00:00:00 2001 From: "dejun.xdj" Date: Mon, 21 May 2018 12:04:53 +0800 Subject: [PATCH 6/7] Change the type of repeat argument to long for function cliSendCommand. To be in consistent with the original definition. --- src/redis-cli.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/redis-cli.c b/src/redis-cli.c index 54b0d8f88..9bbea0fe2 100644 --- a/src/redis-cli.c +++ b/src/redis-cli.c @@ -917,7 +917,7 @@ static int cliReadReply(int output_raw_strings) { return REDIS_OK; } -static int cliSendCommand(int argc, char **argv, int repeat) { +static int cliSendCommand(int argc, char **argv, long repeat) { char *command = argv[0]; size_t *argvlen; int j, output_raw; From 95b988b6c69083fff3e00271653c2239d482ea0d Mon Sep 17 00:00:00 2001 From: "dejun.xdj" Date: Mon, 21 May 2018 12:06:48 +0800 Subject: [PATCH 7/7] Check if the repeat value is positive in while loop of cliSendCommand(). In case that the incoming repeat parameter is negative and causes a deadless loop. --- src/redis-cli.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/redis-cli.c b/src/redis-cli.c index 9bbea0fe2..feddf378c 100644 --- a/src/redis-cli.c +++ b/src/redis-cli.c @@ -980,7 +980,7 @@ static int cliSendCommand(int argc, char **argv, long repeat) { for (j = 0; j < argc; j++) argvlen[j] = sdslen(argv[j]); - while(repeat--) { + while(repeat-- > 0) { redisAppendCommandArgv(context,argc,(const char**)argv,argvlen); while (config.monitor_mode) { if (cliReadReply(output_raw) != REDIS_OK) exit(1);