On 17.11.2015 04:34, GitHub wrote: > Branch: refs/heads/master > Home: https://github.com/BOINC/boinc > Commit: 153f6600d0c859c71587fb2fb82578587f1a16e7 > > https://github.com/BOINC/boinc/commit/153f6600d0c859c71587fb2fb82578587f1a16e7 > Author: David Anderson <[email protected]> > Date: 2015-11-16 (Mon, 16 Nov 2015) > > Changed paths: > M sched/sample_assimilator.cpp > M sched/sample_dummy_assimilator.cpp > M sched/single_job_assimilator.cpp > M tools/backend_lib.cpp > > Log Message: > ----------- > Server (assimilator): add random string to result file names > > Otherwise, result file names can be inferred from result names. > An attacker with task A could find the name of the "wingman" task B, > upload fake files as B's output files, > upload the same files as A's output files, > report A as completed, and get unearned credit. I would like to revert this commit for several reasons.
1. This causes problems in the assimilator and post processing for projects that rely on the BOINC resultfile naming convention. There needs to be an update path for this e.g. a way for the assimilator to detect this random string and remove it before doing anything else with it. If a project updates to this code there is a period of mixed filenames that the assimilator needs to handle. Ideally this should be solved BOINC-only so the projects don't have to change assimilators or post processing. The minimum would be to make it easy to detect the random string and remove it which at the moment is not clear. 2. The random value is part of the basename which before ended with an underscore it now ends with a random number which causes problems when the actual output file number gets appended. 3. Removing the comments from the sample_assimilator daemon defeats the purpose of those being an educational example to project admins and also has nothing to do with the issue at hand. Regards Christian _______________________________________________ boinc_dev mailing list [email protected] http://lists.ssl.berkeley.edu/mailman/listinfo/boinc_dev To unsubscribe, visit the above URL and (near bottom of page) enter your email address.
