cmdline:burn: do not retain false memories

If argv contains a secret option without an '=' (or in the case of
"-U", the username is separated by space), we will get to the
`if (strlen(p) == ulen) { continue; }` without resetting the found
and is_user variables. This *sometimes* has the right effect, because
the next string in argv ought to contain the secret.

But in a case like {"--password", "1234567890"}, where the secret
string is the same length as the option, we *again* take that branch
and the password is not redacted, though the argument after it will be
unless it is also of the same length.

If we always set the flags at the start we avoid this. This makes
things worse in the short term for secrets that are not the same
length as their options, but we'll get to that in another commit soon.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15674

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

diff --git a/lib/cmdline/cmdline.c b/lib/cmdline/cmdline.c
index 8d5dc36e42b0404e12e1322addf25987a56c7d86..627e3f719f21d5d895bfae43f849b2045ff478e8 100644 (file)
--- a/lib/cmdline/cmdline.c
+++ b/lib/cmdline/cmdline.c
@@ -150,6 +150,9 @@ bool samba_cmdline_burn(int argc, char *argv[])
                        return false;
                }
 
+               found = false;
+               is_user = false;
+
                /*
                 * Take care that this list must be in longest-match
                 * first order
@@ -192,8 +195,6 @@ bool samba_cmdline_burn(int argc, char *argv[])
                        }
 
                        memset_s(p, strlen(p), '\0', strlen(p));
-                       found = false;
-                       is_user = false;
                        burnt = true;
                }
        }