bug fixes in block creation and directory security

src/etc/onionrvalues.py

@@ -23,7 +23,7 @@ import filepaths
 DENIABLE_PEER_ADDRESS = "OVPCZLOXD6DC5JHX4EQ3PSOGAZ3T24F75HQLIUZSDSMYPEOXCPFA"
 PASSWORD_LENGTH = 25
 ONIONR_TAGLINE = 'Private P2P Communication - GPLv3 - https://Onionr.net'
-ONIONR_VERSION = '7.0.0'
+ONIONR_VERSION = '7.1.0'
 ONIONR_VERSION_CODENAME = 'Genesis'
 ONIONR_VERSION_TUPLE = tuple(ONIONR_VERSION.split('.')) # (MAJOR, MINOR, VERSION)
 API_VERSION = '2' # increments of 1; only change when something fundamental about how the API works changes. This way other nodes know how to communicate without learning too much information about you.

src/onionrexceptions.py

@@ -95,6 +95,11 @@ class Timeout(Exception):
 
 # file exceptions
 
+class InsecureDirectoryUsage(IOError):
+    """This occurs when a directory used by the daemon is not owned by the user.
+    This is important to stop code execution attacks"""
+    pass
+
 class DiskAllocationReached(Exception):
     pass
 

src/onionrproofs/subprocesspow.py

@@ -116,24 +116,26 @@ class SubprocessPOW:
         metadata['n'] = secrets.randbits(16)
         puzzle = self.puzzle
         difficulty = self.difficulty
-
-        while True:
-            # Break if shutdown received
-            try:
-                if pipe.poll() and pipe.recv() == 'shutdown':
+        try:
+            while True:
+                # Break if shutdown received
+                try:
+                    if pipe.poll() and pipe.recv() == 'shutdown':
+                        break
+                except KeyboardInterrupt:
                     break
-            except KeyboardInterrupt:
-                break
-            # Load nonce into block metadata
-            metadata['c'] = nonce
-            # Serialize metadata, combine with block data
-            payload = json.dumps(metadata).encode() + b'\n' + data
-            # Check sha3_256 hash of block, compare to puzzle
-            # Send payload if puzzle finished
-            token = sha3_hash(payload)
-            # ensure token is string
-            token = bytesconverter.bytes_to_str(token)
-            if puzzle == token[0:difficulty]:
-                pipe.send(payload)
-                break
-            nonce += 1
+                # Load nonce into block metadata
+                metadata['c'] = nonce
+                # Serialize metadata, combine with block data
+                payload = json.dumps(metadata).encode() + b'\n' + data
+                # Check sha3_256 hash of block, compare to puzzle
+                # Send payload if puzzle finished
+                token = sha3_hash(payload)
+                # ensure token is string
+                token = bytesconverter.bytes_to_str(token)
+                if puzzle == token[0:difficulty]:
+                    pipe.send(payload)
+                    break
+                nonce += 1
+        except KeyboardInterrupt:
+            pass

src/utils/createdirs.py

@@ -4,9 +4,12 @@ Create required Onionr directories
 """
 import os
 import stat
+from pwd import getpwuid
+from getpass import getuser
 
 from . import identifyhome
 import filepaths
+import onionrexceptions
 """
     This program is free software: you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -24,6 +27,10 @@ import filepaths
 home = identifyhome.identify_home()
 
 
+def find_owner(filename):
+    return getpwuid(os.stat(filename).st_uid).pw_name
+
+
 def create_dirs():
     """Create onionr data-related directories in
     order of the hardcoded list below,
@@ -33,6 +40,11 @@ def create_dirs():
     for path in gen_dirs:
         if not os.path.exists(path):
             os.makedirs(path)
+        else:
+            if getuser() != find_owner(path):
+                raise onionrexceptions.InsecureDirectoryUsage(
+                    "Directory " + path +
+                    " already exists and is not owned by the same user")
 
     os.chmod(home, stat.S_IRWXU)