Version v1.53.3

This shouldn't be read as encouraging the use of math/rand instead of
crypto/rand in security sensitive contexts, rather as a safer default
if that does happen by accident.

MANUAL.html

@@ -17,7 +17,7 @@
 <header id="title-block-header">
 <h1 class="title">rclone(1) User Manual</h1>
 <p class="author">Nick Craig-Wood</p>
-<p class="date">Oct 26, 2020</p>
+<p class="date">Nov 19, 2020</p>
 </header>
 <h1 id="rclone-syncs-your-files-to-cloud-storage">Rclone syncs your files to cloud storage</h1>
 <p><img width="50%" src="https://rclone.org/img/logo_on_light__horizontal_color.svg" alt="rclone logo" style="float:right; padding: 5px;" ></p>
@@ -6291,7 +6291,7 @@ Showing nodes accounting for 1537.03kB, 100% of 1537.03kB total
       --use-json-log                         Use json log format.
       --use-mmap                             Use mmap allocator (see docs).
       --use-server-modtime                   Use server modified time instead of object metadata
-      --user-agent string                    Set the user-agent to a specified string. The default is rclone/ version (default &quot;rclone/v1.53.2&quot;)
+      --user-agent string                    Set the user-agent to a specified string. The default is rclone/ version (default &quot;rclone/v1.53.3&quot;)
   -v, --verbose count                        Print lots more stuff (repeat for more)</code></pre>
 <h2 id="backend-flags">Backend Flags</h2>
 <p>These flags are available for every command. They control the backends and may be set in the config file.</p>
@@ -18552,6 +18552,27 @@ $ tree /tmp/b
 <li>"error": return an error based on option value</li>
 </ul>
 <h1 id="changelog">Changelog</h1>
+<h2 id="v1.53.3---2020-11-19">v1.53.3 - 2020-11-19</h2>
+<p><a href="https://github.com/rclone/rclone/compare/v1.53.2...v1.53.3">See commits</a></p>
+<ul>
+<li>Bug Fixes
+<ul>
+<li>random: Fix incorrect use of math/rand instead of crypto/rand CVE-2020-28924 (Nick Craig-Wood)
+<ul>
+<li>Passwords you have generated with <code>rclone config</code> may be insecure</li>
+<li>See <a href="https://github.com/rclone/rclone/issues/4783">issue #4783</a> for more details and a checking tool</li>
+</ul></li>
+<li>random: Seed math/rand in one place with crypto strong seed (Nick Craig-Wood)</li>
+</ul></li>
+<li>VFS
+<ul>
+<li>Fix vfs/refresh calls with fs= parameter (Nick Craig-Wood)</li>
+</ul></li>
+<li>Sharefile
+<ul>
+<li>Fix backend due to API swapping integers for strings (Nick Craig-Wood)</li>
+</ul></li>
+</ul>
 <h2 id="v1.53.2---2020-10-26">v1.53.2 - 2020-10-26</h2>
 <p><a href="https://github.com/rclone/rclone/compare/v1.53.1...v1.53.2">See commits</a></p>
 <ul>

MANUAL.md

@@ -1,6 +1,6 @@
 % rclone(1) User Manual
 % Nick Craig-Wood
-% Oct 26, 2020
+% Nov 19, 2020
 
 # Rclone syncs your files to cloud storage
 
@@ -10569,7 +10569,7 @@ These flags are available for every command.
       --use-json-log                         Use json log format.
       --use-mmap                             Use mmap allocator (see docs).
       --use-server-modtime                   Use server modified time instead of object metadata
-      --user-agent string                    Set the user-agent to a specified string. The default is rclone/ version (default "rclone/v1.53.2")
+      --user-agent string                    Set the user-agent to a specified string. The default is rclone/ version (default "rclone/v1.53.3")
   -v, --verbose count                        Print lots more stuff (repeat for more)
 ```
 
@@ -25727,6 +25727,20 @@ Options:
 
 # Changelog
 
+## v1.53.3 - 2020-11-19
+
+[See commits](https://github.com/rclone/rclone/compare/v1.53.2...v1.53.3)
+
+* Bug Fixes
+    * random: Fix incorrect use of math/rand instead of crypto/rand CVE-2020-28924 (Nick Craig-Wood)
+        * Passwords you have generated with `rclone config` may be insecure
+        * See [issue #4783](https://github.com/rclone/rclone/issues/4783) for more details and a checking tool
+    * random: Seed math/rand in one place with crypto strong seed (Nick Craig-Wood)
+* VFS
+    * Fix vfs/refresh calls with fs= parameter (Nick Craig-Wood)
+* Sharefile
+    * Fix backend due to API swapping integers for strings (Nick Craig-Wood)
+
 ## v1.53.2 - 2020-10-26
 
 [See commits](https://github.com/rclone/rclone/compare/v1.53.1...v1.53.2)

MANUAL.txt

@@ -1,6 +1,6 @@
 rclone(1) User Manual
 Nick Craig-Wood
-Oct 26, 2020
+Nov 19, 2020
 
 
 
@@ -10660,7 +10660,7 @@ These flags are available for every command.
           --use-json-log                         Use json log format.
           --use-mmap                             Use mmap allocator (see docs).
           --use-server-modtime                   Use server modified time instead of object metadata
-          --user-agent string                    Set the user-agent to a specified string. The default is rclone/ version (default "rclone/v1.53.2")
+          --user-agent string                    Set the user-agent to a specified string. The default is rclone/ version (default "rclone/v1.53.3")
       -v, --verbose count                        Print lots more stuff (repeat for more)
 
 
@@ -25700,6 +25700,25 @@ Options:
 CHANGELOG
 
 
+v1.53.3 - 2020-11-19
+
+See commits
+
+-   Bug Fixes
+    -   random: Fix incorrect use of math/rand instead of crypto/rand
+        CVE-2020-28924 (Nick Craig-Wood)
+        -   Passwords you have generated with rclone config may be
+            insecure
+        -   See issue #4783 for more details and a checking tool
+    -   random: Seed math/rand in one place with crypto strong seed
+        (Nick Craig-Wood)
+-   VFS
+    -   Fix vfs/refresh calls with fs= parameter (Nick Craig-Wood)
+-   Sharefile
+    -   Fix backend due to API swapping integers for strings (Nick
+        Craig-Wood)
+
+
 v1.53.2 - 2020-10-26
 
 See commits

VERSION

@@ -1 +1 @@
-v1.53.2
+v1.53.3

backend/sharefile/api/types.go

@@ -106,7 +106,7 @@ type UploadSpecification struct {
 type UploadFinishResponse struct {
 	Error        bool   `json:"error"`
 	ErrorMessage string `json:"errorMessage"`
-	ErrorCode    int    `json:"errorCode"`
+	ErrorCode    int    `json:"errorCode,string"`
 	Value        []struct {
 		UploadID    string `json:"uploadid"`
 		ParentID    string `json:"parentid"`
@@ -114,7 +114,7 @@ type UploadFinishResponse struct {
 		StreamID    string `json:"streamid"`
 		FileName    string `json:"filename"`
 		DisplayName string `json:"displayname"`
-		Size        int    `json:"size"`
+		Size        int    `json:"size,string"`
 		Md5         string `json:"md5"`
 	} `json:"value"`
 }

backend/union/policy/eprand.go

@@ -3,7 +3,6 @@ package policy
 import (
 	"context"
 	"math/rand"
-	"time"
 
 	"github.com/rclone/rclone/backend/union/upstream"
 	"github.com/rclone/rclone/fs"
@@ -20,12 +19,10 @@ type EpRand struct {
 }
 
 func (p *EpRand) rand(upstreams []*upstream.Fs) *upstream.Fs {
-	rand.Seed(time.Now().Unix())
 	return upstreams[rand.Intn(len(upstreams))]
 }
 
 func (p *EpRand) randEntries(entries []upstream.Entry) upstream.Entry {
-	rand.Seed(time.Now().Unix())
 	return entries[rand.Intn(len(entries))]
 }
 

cmd/cmd.go

@@ -9,7 +9,6 @@ package cmd
 import (
 	"fmt"
 	"log"
-	"math/rand"
 	"os"
 	"os/exec"
 	"path"
@@ -35,6 +34,7 @@ import (
 	"github.com/rclone/rclone/fs/rc/rcflags"
 	"github.com/rclone/rclone/fs/rc/rcserver"
 	"github.com/rclone/rclone/lib/atexit"
+	"github.com/rclone/rclone/lib/random"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 )
@@ -512,7 +512,9 @@ func AddBackendFlags() {
 
 // Main runs rclone interpreting flags and commands out of os.Args
 func Main() {
-	rand.Seed(time.Now().Unix())
+	if err := random.Seed(); err != nil {
+		log.Fatalf("Fatal error: %v", err)
+	}
 	setupRootCommand(Root)
 	AddBackendFlags()
 	if err := Root.Execute(); err != nil {

docs/content/changelog.md

@@ -5,6 +5,20 @@ description: "Rclone Changelog"
 
 # Changelog
 
+## v1.53.3 - 2020-11-19
+
+[See commits](https://github.com/rclone/rclone/compare/v1.53.2...v1.53.3)
+
+* Bug Fixes
+    * random: Fix incorrect use of math/rand instead of crypto/rand CVE-2020-28924 (Nick Craig-Wood)
+        * Passwords you have generated with `rclone config` may be insecure
+        * See [issue #4783](https://github.com/rclone/rclone/issues/4783) for more details and a checking tool
+    * random: Seed math/rand in one place with crypto strong seed (Nick Craig-Wood)
+* VFS
+    * Fix vfs/refresh calls with fs= parameter (Nick Craig-Wood)
+* Sharefile
+    * Fix backend due to API swapping integers for strings (Nick Craig-Wood)
+
 ## v1.53.2 - 2020-10-26
 
 [See commits](https://github.com/rclone/rclone/compare/v1.53.1...v1.53.2)

docs/content/flags.md

@@ -147,7 +147,7 @@ These flags are available for every command.
       --use-json-log                         Use json log format.
       --use-mmap                             Use mmap allocator (see docs).
       --use-server-modtime                   Use server modified time instead of object metadata
-      --user-agent string                    Set the user-agent to a specified string. The default is rclone/ version (default "rclone/v1.53.2")
+      --user-agent string                    Set the user-agent to a specified string. The default is rclone/ version (default "rclone/v1.53.3")
   -v, --verbose count                        Print lots more stuff (repeat for more)
 ```
 

docs/layouts/partials/version.html

@@ -1 +1 @@
-v1.53.2
+v1.53.3

fs/version.go

@@ -1,4 +1,4 @@
 package fs
 
 // Version of rclone
-var Version = "v1.53.2-DEV"
+var Version = "v1.53.3-DEV"

lib/random/random.go

@@ -2,8 +2,10 @@
 package random
 
 import (
+	cryptorand "crypto/rand"
 	"encoding/base64"
-	"math/rand"
+	"encoding/binary"
+	mathrand "math/rand"
 
 	"github.com/pkg/errors"
 )
@@ -23,7 +25,7 @@ func String(n int) string {
 	for i := range out {
 		source := pattern[p]
 		p = (p + 1) % len(pattern)
-		out[i] = source[rand.Intn(len(source))]
+		out[i] = source[mathrand.Intn(len(source))]
 	}
 	return string(out)
 }
@@ -41,7 +43,7 @@ func Password(bits int) (password string, err error) {
 		bytes++
 	}
 	var pw = make([]byte, bytes)
-	n, err := rand.Read(pw)
+	n, err := cryptorand.Read(pw)
 	if err != nil {
 		return "", errors.Wrap(err, "password read failed")
 	}
@@ -51,3 +53,19 @@ func Password(bits int) (password string, err error) {
 	password = base64.RawURLEncoding.EncodeToString(pw)
 	return password, nil
 }
+
+// Seed the global math/rand with crypto strong data
+//
+// This doesn't make it OK to use math/rand in crypto sensitive
+// environments - don't do that! However it does help to mitigate the
+// problem if that happens accidentally. This would have helped with
+// CVE-2020-28924 - #4783
+func Seed() error {
+	var seed int64
+	err := binary.Read(cryptorand.Reader, binary.LittleEndian, &seed)
+	if err != nil {
+		return errors.Wrap(err, "failed to read random seed")
+	}
+	mathrand.Seed(seed)
+	return nil
+}

lib/random/random_test.go

@@ -1,6 +1,7 @@
 package random
 
 import (
+	"math/rand"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -48,3 +49,16 @@ func TestPasswordDuplicates(t *testing.T) {
 		seen[s] = true
 	}
 }
+
+func TestSeed(t *testing.T) {
+	// seed 100 times and check the first random number doesn't repeat
+	// This test could fail with a probability of ~ 10**-15
+	const n = 100
+	var seen = map[int64]bool{}
+	for i := 0; i < n; i++ {
+		assert.NoError(t, Seed())
+		first := rand.Int63()
+		assert.False(t, seen[first])
+		seen[first] = true
+	}
+}

rclone.1

@@ -1,7 +1,7 @@
 .\"t
 .\" Automatically generated by Pandoc 2.5
 .\"
-.TH "rclone" "1" "Oct 26, 2020" "User Manual" ""
+.TH "rclone" "1" "Nov 19, 2020" "User Manual" ""
 .hy
 .SH Rclone syncs your files to cloud storage
 .PP
@@ -14154,7 +14154,7 @@ These flags are available for every command.
       \-\-use\-json\-log                         Use json log format.
       \-\-use\-mmap                             Use mmap allocator (see docs).
       \-\-use\-server\-modtime                   Use server modified time instead of object metadata
-      \-\-user\-agent string                    Set the user\-agent to a specified string. The default is rclone/ version (default \[dq]rclone/v1.53.2\[dq])
+      \-\-user\-agent string                    Set the user\-agent to a specified string. The default is rclone/ version (default \[dq]rclone/v1.53.3\[dq])
   \-v, \-\-verbose count                        Print lots more stuff (repeat for more)
 \f[R]
 .fi
@@ -35088,6 +35088,39 @@ Options:
 .IP \[bu] 2
 \[dq]error\[dq]: return an error based on option value
 .SH Changelog
+.SS v1.53.3 \- 2020\-11\-19
+.PP
+See commits (https://github.com/rclone/rclone/compare/v1.53.2...v1.53.3)
+.IP \[bu] 2
+Bug Fixes
+.RS 2
+.IP \[bu] 2
+random: Fix incorrect use of math/rand instead of crypto/rand
+CVE\-2020\-28924 (Nick Craig\-Wood)
+.RS 2
+.IP \[bu] 2
+Passwords you have generated with \f[C]rclone config\f[R] may be
+insecure
+.IP \[bu] 2
+See issue #4783 (https://github.com/rclone/rclone/issues/4783) for more
+details and a checking tool
+.RE
+.IP \[bu] 2
+random: Seed math/rand in one place with crypto strong seed (Nick
+Craig\-Wood)
+.RE
+.IP \[bu] 2
+VFS
+.RS 2
+.IP \[bu] 2
+Fix vfs/refresh calls with fs= parameter (Nick Craig\-Wood)
+.RE
+.IP \[bu] 2
+Sharefile
+.RS 2
+.IP \[bu] 2
+Fix backend due to API swapping integers for strings (Nick Craig\-Wood)
+.RE
 .SS v1.53.2 \- 2020\-10\-26
 .PP
 See commits (https://github.com/rclone/rclone/compare/v1.53.1...v1.53.2)

vfs/rc.go

@@ -23,6 +23,8 @@ must be supplied.`
 //
 // If "fs" is not set and there is one and only one VFS in the active
 // cache then it returns it. This is for backwards compatibility.
+//
+// This deletes the "fs" parameter from in if it is valid
 func getVFS(in rc.Params) (vfs *VFS, err error) {
 	fsString, err := in.GetString("fs")
 	if rc.IsErrParamNotFound(err) {
@@ -46,6 +48,7 @@ func getVFS(in rc.Params) (vfs *VFS, err error) {
 	} else if len(activeVFS) > 1 {
 		return nil, errors.Errorf("more than one VFS active with name %q", fsString)
 	}
+	delete(in, "fs") // delete the fs parameter
 	return activeVFS[0], nil
 }
 

vfs/rc_test.go

@@ -57,6 +57,7 @@ func TestRcGetVFS(t *testing.T) {
 	assert.Contains(t, err.Error(), "more than one VFS active - need")
 	assert.Nil(t, vfs)
 
+	inPresent = rc.Params{"fs": fs.ConfigString(r.Fremote)}
 	vfs, err = getVFS(inPresent)
 	require.Error(t, err)
 	assert.Contains(t, err.Error(), "more than one VFS active with name")
@@ -67,7 +68,8 @@ func TestRcForget(t *testing.T) {
 	r, vfs, cleanup, call := rcNewRun(t, "vfs/forget")
 	defer cleanup()
 	_, _ = r, vfs
-	out, err := call.Fn(context.Background(), nil)
+	in := rc.Params{"fs": fs.ConfigString(r.Fremote)}
+	out, err := call.Fn(context.Background(), in)
 	require.NoError(t, err)
 	assert.Equal(t, rc.Params{
 		"forgotten": []string{},
@@ -79,7 +81,8 @@ func TestRcRefresh(t *testing.T) {
 	r, vfs, cleanup, call := rcNewRun(t, "vfs/refresh")
 	defer cleanup()
 	_, _ = r, vfs
-	out, err := call.Fn(context.Background(), nil)
+	in := rc.Params{"fs": fs.ConfigString(r.Fremote)}
+	out, err := call.Fn(context.Background(), in)
 	require.NoError(t, err)
 	assert.Equal(t, rc.Params{
 		"result": map[string]string{