upstream/oracle/userland-gate: components/python/oslo.middleware/patches/cve-2017-2592.patch@52890fa47021 (annotated)

7645 52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	1	Upstream patch to address CVE-2017-25922.
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	2
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	3	https://launchpad.net/bugs/1628031
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	4	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2592
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	5
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	6	This patch can be removed when updating to a newer version which
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	7	contains this fix.
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	8
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	9	From ec073669a49267abcb0c1d776b9050342dac5a4a Mon Sep 17 00:00:00 2001
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	10	From: Jamie Lennox <[email protected]>
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	11	Date: Wed, 28 Sep 2016 15:03:53 +1000
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	12	Subject: [PATCH] Filter token data out of catch_errors middleware
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	13
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	14	If an exception is caught by the catch_errors middleware the entire
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	15	request is dumped into the log including sensitive information like
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	16	tokens. Filter that information before outputting the failed request.
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	17
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	18	Closes-Bug: #1628031
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	19	Change-Id: I2563403993513c37751576223275350cac2e0937
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	20	---
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	21	oslo_middleware/catch_errors.py \| 6 +++++-
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	22	oslo_middleware/tests/test_catch_errors.py \| 25 +++++++++++++++++++++++++
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	23	2 files changed, 30 insertions(+), 1 deletion(-)
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	24
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	25	diff --git a/oslo_middleware/catch_errors.py b/oslo_middleware/catch_errors.py
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	26	index 43d085f..0934fc5 100644
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	27	--- a/oslo_middleware/catch_errors.py
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	28	+++ b/oslo_middleware/catch_errors.py
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	29	@@ -14,6 +14,7 @@
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	30	# under the License.
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	31
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	32	import logging
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	33	+import re
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	34
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	35	import webob.dec
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	36	import webob.exc
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	37	@@ -24,6 +25,8 @@ from oslo_middleware import base
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	38
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	39	LOG = logging.getLogger(__name__)
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	40
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	41	+_TOKEN_RE = re.compile('^(X-\w+-Token):.*$', flags=re.MULTILINE)
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	42	+
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	43
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	44	class CatchErrors(base.ConfigurableMiddleware):
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	45	"""Middleware that provides high-level error handling.
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	46	@@ -37,7 +40,8 @@ class CatchErrors(base.ConfigurableMiddleware):
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	47	try:
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	48	response = req.get_response(self.application)
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	49	except Exception:
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	50	+ req_str = _TOKEN_RE.sub(r'\1: <removed>', req.as_text())
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	51	LOG.exception(_LE('An error occurred during '
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	52	- 'processing the request: %s'), req)
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	53	+ 'processing the request: %s'), req_str)
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	54	response = webob.exc.HTTPInternalServerError()
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	55	return response
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	56	diff --git a/oslo_middleware/tests/test_catch_errors.py b/oslo_middleware/tests/test_catch_errors.py
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	57	index 920bbe2..0b675e2 100644
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	58	--- a/oslo_middleware/tests/test_catch_errors.py
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	59	+++ b/oslo_middleware/tests/test_catch_errors.py
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	60	@@ -13,6 +13,7 @@
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	61	# License for the specific language governing permissions and limitations
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	62	# under the License.
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	63
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	64	+import fixtures
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	65	import mock
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	66	from oslotest import base as test_base
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	67	import webob.dec
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	68	@@ -45,3 +46,27 @@ class CatchErrorsTest(test_base.BaseTestCase):
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	69	self._test_has_request_id(application,
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	70	webob.exc.HTTPInternalServerError.code)
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	71	self.assertEqual(1, log_exc.call_count)
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	72	+
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	73	+ def test_filter_tokens_from_log(self):
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	74	+ logger = self.useFixture(fixtures.FakeLogger(nuke_handlers=False))
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	75	+
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	76	+ @webob.dec.wsgify
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	77	+ def application(req):
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	78	+ raise Exception()
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	79	+
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	80	+ app = catch_errors.CatchErrors(application)
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	81	+ req = webob.Request.blank('/test',
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	82	+ text=u'test data',
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	83	+ method='POST',
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	84	+ headers={'X-Auth-Token': 'secret1',
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	85	+ 'X-Service-Token': 'secret2',
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	86	+ 'X-Other-Token': 'secret3'})
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	87	+ res = req.get_response(app)
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	88	+ self.assertEqual(500, res.status_int)
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	89	+
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	90	+ output = logger.output
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	91	+
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	92	+ self.assertIn('X-Auth-Token: <removed>', output)
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	93	+ self.assertIn('X-Service-Token: <removed>', output)
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	94	+ self.assertIn('X-Other-Token: <removed>', output)
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	95	+ self.assertIn('test data', output)
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	96	--
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	97	1.9.1
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	98
52890fa47021 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	99

author	Drew Fisher <drew.fisher@oracle.com>
	Sun, 05 Feb 2017 14:39:15 -0800
changeset 7645	52890fa47021
permissions	-rw-r--r--