author | Drew Fisher <drew.fisher@oracle.com> |
Fri, 13 Jun 2014 09:10:23 -0700 | |
branch | s11-update |
changeset 3178 | 77584387a894 |
permissions | -rw-r--r-- |
3178
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
1 |
This proposed upstream patch addresses CVE-2014-0006 and is tracked |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
2 |
under Launchpad bug 1265665. Although it's been addressed in 1.12.0, |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
3 |
the patch below is still not yet released for 1.10.0. |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
4 |
|
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
5 |
commit b2c61375b3255486adb2900922a894dc7dad3c6d |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
6 |
Author: Samuel Merritt <[email protected]> |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
7 |
Date: Thu Jan 16 13:44:23 2014 +0100 |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
8 |
|
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
9 |
Use constant time comparison in tempURL |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
10 |
|
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
11 |
Use constant time comparison when evaluating tempURL to avoid timing |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
12 |
attacks (CVE-2014-0006). This is the havana backport of the master |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
13 |
patch. |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
14 |
|
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
15 |
Fixes bug 1265665 |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
16 |
|
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
17 |
Change-Id: I11e4ad83cc4077e52adf54a0bd0f9749294b2a48 |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
18 |
|
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
19 |
diff --git a/swift/common/middleware/tempurl.py b/swift/common/middleware/tempurl.py |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
20 |
index ffc1431..ae2f4a1 100644 |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
21 |
--- a/swift/common/middleware/tempurl.py |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
22 |
+++ b/swift/common/middleware/tempurl.py |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
23 |
@@ -98,7 +98,7 @@ from urlparse import parse_qs |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
24 |
|
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
25 |
from swift.proxy.controllers.base import get_account_info |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
26 |
from swift.common.swob import HeaderKeyDict |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
27 |
-from swift.common.utils import split_path |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
28 |
+from swift.common.utils import split_path, streq_const_time |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
29 |
|
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
30 |
|
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
31 |
#: Default headers to remove from incoming requests. Simply a whitespace |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
32 |
@@ -267,17 +267,20 @@ class TempURL(object): |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
33 |
if not keys: |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
34 |
return self._invalid(env, start_response) |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
35 |
if env['REQUEST_METHOD'] == 'HEAD': |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
36 |
- hmac_vals = self._get_hmacs(env, temp_url_expires, keys, |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
37 |
- request_method='GET') |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
38 |
- if temp_url_sig not in hmac_vals: |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
39 |
- hmac_vals = self._get_hmacs(env, temp_url_expires, keys, |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
40 |
- request_method='PUT') |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
41 |
- if temp_url_sig not in hmac_vals: |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
42 |
- return self._invalid(env, start_response) |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
43 |
+ hmac_vals = (self._get_hmacs(env, temp_url_expires, keys, |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
44 |
+ request_method='GET') + |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
45 |
+ self._get_hmacs(env, temp_url_expires, keys, |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
46 |
+ request_method='PUT')) |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
47 |
else: |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
48 |
hmac_vals = self._get_hmacs(env, temp_url_expires, keys) |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
49 |
- if temp_url_sig not in hmac_vals: |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
50 |
- return self._invalid(env, start_response) |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
51 |
+ |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
52 |
+ # While it's true that any() will short-circuit, this doesn't affect |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
53 |
+ # the timing-attack resistance since the only way this will |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
54 |
+ # short-circuit is when a valid signature is passed in. |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
55 |
+ is_valid_hmac = any(streq_const_time(temp_url_sig, h) |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
56 |
+ for h in hmac_vals) |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
57 |
+ if not is_valid_hmac: |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
58 |
+ return self._invalid(env, start_response) |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
59 |
self._clean_incoming_headers(env) |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
60 |
env['swift.authorize'] = lambda req: None |
77584387a894
PSARC/2014/207 OpenStack Glance Update to Havana
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
61 |
env['swift.authorize_override'] = True |