author | Drew Fisher <drew.fisher@oracle.com> |
Fri, 18 Nov 2016 07:32:35 -0800 | |
changeset 7351 | 8f50566e8278 |
permissions | -rw-r--r-- |
7351
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
1 |
Upstream patch from https://review.openstack.org/393148 to address |
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
2 |
CVE-2016-9185 |
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
3 |
|
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
4 |
From 8c681f2641ab81410a8fb99bd76ec735ba3add1e Mon Sep 17 00:00:00 2001 |
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
5 |
From: Daniel Gonzalez <[email protected]> |
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
6 |
Date: Mon, 17 Oct 2016 10:22:42 +0200 |
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
7 |
Subject: [PATCH] Prevent template validate from scanning ports |
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
8 |
|
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
9 |
The template validation method in the heat API allows to specify the |
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
10 |
template to validate using a URL with the 'template_url' parameter. |
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
11 |
|
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
12 |
By entering invalid http URLs, like 'http://localhost:22' it is |
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
13 |
possible to scan ports by evaluating the error message of the request. |
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
14 |
|
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
15 |
For example, the request |
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
16 |
|
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
17 |
curl -H "Content-Type: application/json" -H "X-Auth-Token: <TOKEN>" \ |
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
18 |
-X POST -d '{"template_url": "http://localhost:22"}' \ |
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
19 |
http://127.0.0.1:8004/v1/<TENANT_ID>/validate |
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
20 |
|
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
21 |
causes the following error message to be returned to the user: |
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
22 |
|
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
23 |
"Could not retrieve template: Failed to retrieve template: |
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
24 |
('Connection aborted.', |
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
25 |
BadStatusLine('SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1\\r\\n',))" |
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
26 |
|
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
27 |
This could be misused by tenants to gain knowledge about the internal |
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
28 |
network the heat API runs in. |
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
29 |
|
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
30 |
To prevent this information leak, this patch alters the error message |
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
31 |
to not include such details when the url scheme is not 'file'. |
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
32 |
|
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
33 |
SecurityImpact |
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
34 |
|
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
35 |
Closes-Bug: #1606500 |
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
36 |
|
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
37 |
Change-Id: Id1f86f41c1e6c028d889eca7ccbb9cde67631950 |
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
38 |
(cherry picked from commit eab9a33ce760c55695a5beb2e541487588b08c98) |
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
39 |
--- |
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
40 |
heat/common/urlfetch.py | 3 ++- |
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
41 |
1 file changed, 2 insertions(+), 1 deletion(-) |
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
42 |
|
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
43 |
diff --git a/heat/common/urlfetch.py b/heat/common/urlfetch.py |
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
44 |
index 7efd968..8a7deae 100644 |
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
45 |
--- a/heat/common/urlfetch.py |
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
46 |
+++ b/heat/common/urlfetch.py |
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
47 |
@@ -75,4 +75,5 @@ def get(url, allowed_schemes=('http', 'https')): |
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
48 |
return result |
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
49 |
|
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
50 |
except exceptions.RequestException as ex: |
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
51 |
- raise URLFetchError(_('Failed to retrieve template: %s') % ex) |
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
52 |
+ LOG.info(_LI('Failed to retrieve template: %s') % ex) |
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
53 |
+ raise URLFetchError(_('Failed to retrieve template from %s') % url) |
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
54 |
-- |
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
55 |
1.9.1 |
8f50566e8278
25119382 problem in SERVICE/HEAT
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
56 |