upstream/oracle/userland-gate: components/openstack/swift/patches/01-CVE-2014-0006.patch@77584387a894 (annotated)

3178 77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	1	This proposed upstream patch addresses CVE-2014-0006 and is tracked
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	2	under Launchpad bug 1265665. Although it's been addressed in 1.12.0,
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	3	the patch below is still not yet released for 1.10.0.
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	4
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	5	commit b2c61375b3255486adb2900922a894dc7dad3c6d
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	6	Author: Samuel Merritt <[email protected]>
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	7	Date: Thu Jan 16 13:44:23 2014 +0100
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	8
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	9	Use constant time comparison in tempURL
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	10
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	11	Use constant time comparison when evaluating tempURL to avoid timing
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	12	attacks (CVE-2014-0006). This is the havana backport of the master
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	13	patch.
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	14
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	15	Fixes bug 1265665
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	16
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	17	Change-Id: I11e4ad83cc4077e52adf54a0bd0f9749294b2a48
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	18
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	19	diff --git a/swift/common/middleware/tempurl.py b/swift/common/middleware/tempurl.py
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	20	index ffc1431..ae2f4a1 100644
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	21	--- a/swift/common/middleware/tempurl.py
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	22	+++ b/swift/common/middleware/tempurl.py
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	23	@@ -98,7 +98,7 @@ from urlparse import parse_qs
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	24
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	25	from swift.proxy.controllers.base import get_account_info
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	26	from swift.common.swob import HeaderKeyDict
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	27	-from swift.common.utils import split_path
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	28	+from swift.common.utils import split_path, streq_const_time
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	29
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	30
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	31	#: Default headers to remove from incoming requests. Simply a whitespace
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	32	@@ -267,17 +267,20 @@ class TempURL(object):
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	33	if not keys:
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	34	return self._invalid(env, start_response)
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	35	if env['REQUEST_METHOD'] == 'HEAD':
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	36	- hmac_vals = self._get_hmacs(env, temp_url_expires, keys,
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	37	- request_method='GET')
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	38	- if temp_url_sig not in hmac_vals:
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	39	- hmac_vals = self._get_hmacs(env, temp_url_expires, keys,
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	40	- request_method='PUT')
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	41	- if temp_url_sig not in hmac_vals:
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	42	- return self._invalid(env, start_response)
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	43	+ hmac_vals = (self._get_hmacs(env, temp_url_expires, keys,
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	44	+ request_method='GET') +
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	45	+ self._get_hmacs(env, temp_url_expires, keys,
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	46	+ request_method='PUT'))
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	47	else:
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	48	hmac_vals = self._get_hmacs(env, temp_url_expires, keys)
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	49	- if temp_url_sig not in hmac_vals:
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	50	- return self._invalid(env, start_response)
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	51	+
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	52	+ # While it's true that any() will short-circuit, this doesn't affect
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	53	+ # the timing-attack resistance since the only way this will
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	54	+ # short-circuit is when a valid signature is passed in.
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	55	+ is_valid_hmac = any(streq_const_time(temp_url_sig, h)
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	56	+ for h in hmac_vals)
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	57	+ if not is_valid_hmac:
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	58	+ return self._invalid(env, start_response)
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	59	self._clean_incoming_headers(env)
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	60	env['swift.authorize'] = lambda req: None
77584387a894 PSARC/2014/207 OpenStack Glance Update to Havana Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	61	env['swift.authorize_override'] = True

author	Drew Fisher <drew.fisher@oracle.com>
	Fri, 13 Jun 2014 09:10:23 -0700
branch	s11-update
changeset 3178	77584387a894
permissions	-rw-r--r--