Bug #6571
Sanitize IPv6 addresses in WhisperBack
Start date:
2014-03-02
Due date:
% Done:
50%
Description
We currently don’t remove IPv6 addresses, while we do remove IPv4
addresses (see sanitize_hardware_info in utils.py).
This should be fixed as IPv6 addresses can contain MAC addresses.
Subtasks
Bug #6804: Sanitize expanded IPv6 addresses in WhisperBack | Resolved | 100 |
|||
Bug #6805: Sanitize "compressed" IPv6 addresses in WhisperBack | Confirmed | alant | 0 |
Related issues
Related to Tails - Bug #6343: List potentially identifying information sent in Whisperback reports | In Progress | 2014-03-01 | |
Related to Tails - Bug #10695: unscrubbed URL in .xsession-errors (and therefore, in whisperback report) | In Progress | 2015-11-30 |
History
#2 Updated by sajolida 2014-01-31 08:46:10
We were submitted a patch for that. See bugreport baf885a4fc0b888f09afe2e625cd448d.
--- /lib/live/mount//rootfs//filesystem.squashfs/usr/share/pyshared/whisperBack/utils.py 2013-11-30 09:19:08.000000000 -0500
+++ /usr/share/pyshared/whisperBack/utils.py 2014-01-08 03:24:49.707905907 -0500
@@ -29,6 +29,8 @@
import re
import urlparse
import locale
+import subprocess
+import string
# Ugly pathes finder utilities
@@ -135,6 +137,45 @@
else:
return False
+def expand_ipv6(address):
+ fullAddress = "" # All groups
+ expandedAddress = "" # Each group padded with leading zeroes
+ validGroupCount = 8
+ validGroupSize = 4
+ if "::" not in address: # All groups are already present
+ fullAddress = address
+ else: # Consecutive groups of zeroes have been collapsed with "::"
+ sides = address.split("::")
+ groupsPresent = 0
+ for side in sides:
+ if len(side) > 0:
+ groupsPresent += len(side.split(":"))
+ if len(sides[0]) > 0:
+ fullAddress += sides[0] + ":"
+ for i in range(0,validGroupCount-groupsPresent):
+ fullAddress += "0000:"
+ if len(sides[1]) > 0:
+ fullAddress += sides[1]
+ if fullAddress[-1] == ":":
+ fullAddress = fullAddress[:-1]
+ groups = fullAddress.split(":")
+ for group in groups:
+ while(len(group) < validGroupSize):
+ group = "0" + group
+ expandedAddress += group + ":"
+ if expandedAddress[-1] == ":":
+ expandedAddress = expandedAddress[:-1]
+ return expandedAddress
+
+def get_local_ipv6():
+ ifconfig = subprocess.Popen(("/sbin/ifconfig"), stdout=subprocess.PIPE)
+ ifconfig.wait()
+ data = ifconfig.communicate()[0]
+ matched_lines = [line for line in data.split('\n') if "inet6" in line]
+ ipv6_addresses = [re.sub(r'.*addr: ([^/]*)/.*', r'\g<1>', line) for line in matched_lines]
+ ipv6_addresses.extend([expand_ipv6(addr) for addr in ipv6_addresses])
+ return ipv6_addresses
+
def sanitize_hardware_info(log_string):
"""Sanitize hardware-identifying info from a string
@@ -162,6 +203,15 @@
log_string = re.sub(r'([\d]{1,3}\.){3}[\d]{1,3}',
r'[IP REMOVED]',
log_string)
+
+ log_string = re.sub(r'[0-9a-fA-F]{4}(:[0-9a-fA-F]{4}){7}',
+ r'[IP6 REMOVED]',
+ log_string)
+
+ ipv6 = get_local_ipv6()
+ for addr in ipv6:
+ log_string = string.replace(log_string, addr, '[IP6 REMOVED]')
+
# MAC addresses
log_string = re.sub(r'([0-9a-fA-F]{2}:){5,}[0-9a-fA-F]{2}',
r'[MAC REMOVED]',
#3 Updated by intrigeri 2014-01-31 22:42:09
- Status changed from Confirmed to In Progress
- % Done changed from 0 to 20
#4 Updated by alant 2014-03-01 22:37:53
I don’t see why to use such a complex solution while addresses in the exemple are already expanded:
[ 12.3456789] Dropped outbound packet: IN= OUT=eth0 SRC=fe80:0000:0000:0000:abcd:efab:cdef:1234 DST=ff02:0000:0000:0000:0000:0000:0000:0002 LEN=56 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=133 CODE=0
#5 Updated by alant 2014-03-01 23:02:22
- % Done changed from 20 to 40
- Feature Branch set to whisperback:bugfix/filter_more_serial_nos
The simple approach is now implemented.
#6 Updated by alant 2014-03-01 23:22:37
- Assignee changed from alant to anonym
- QA Check set to Ready for QA
#7 Updated by alant 2014-03-02 10:06:49
- Assignee changed from anonym to alant
- QA Check deleted (
Ready for QA) - Feature Branch deleted (
whisperback:bugfix/filter_more_serial_nos)
Splitted between two subtasks: expanded and “compressed” addresses
#8 Updated by intrigeri 2015-12-02 04:16:11
- related to Bug #6343: List potentially identifying information sent in Whisperback reports added
#9 Updated by intrigeri 2015-12-02 04:18:17
- related to Bug #10695: unscrubbed URL in .xsession-errors (and therefore, in whisperback report) added
#10 Updated by alant 2019-09-04 20:45:19
- Assignee deleted (
alant)
#11 Updated by alant 2019-09-04 20:51:35
- Feature Branch set to bugfix/6769-filter-more-serial-nos