upstream/oracle/userland-gate: components/openstack/heat/patches/09-cve-2016-9185.patch@8f50566e8278 (annotated)

7351 8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	1	Upstream patch from https://review.openstack.org/393148 to address
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	2	CVE-2016-9185
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	3
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	4	From 8c681f2641ab81410a8fb99bd76ec735ba3add1e Mon Sep 17 00:00:00 2001
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	5	From: Daniel Gonzalez <[email protected]>
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	6	Date: Mon, 17 Oct 2016 10:22:42 +0200
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	7	Subject: [PATCH] Prevent template validate from scanning ports
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	8
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	9	The template validation method in the heat API allows to specify the
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	10	template to validate using a URL with the 'template_url' parameter.
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	11
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	12	By entering invalid http URLs, like 'http://localhost:22' it is
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	13	possible to scan ports by evaluating the error message of the request.
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	14
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	15	For example, the request
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	16
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	17	curl -H "Content-Type: application/json" -H "X-Auth-Token: <TOKEN>" \
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	18	-X POST -d '{"template_url": "http://localhost:22"}' \
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	19	http://127.0.0.1:8004/v1/<TENANT_ID>/validate
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	20
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	21	causes the following error message to be returned to the user:
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	22
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	23	"Could not retrieve template: Failed to retrieve template:
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	24	('Connection aborted.',
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	25	BadStatusLine('SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1\\r\\n',))"
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	26
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	27	This could be misused by tenants to gain knowledge about the internal
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	28	network the heat API runs in.
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	29
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	30	To prevent this information leak, this patch alters the error message
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	31	to not include such details when the url scheme is not 'file'.
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	32
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	33	SecurityImpact
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	34
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	35	Closes-Bug: #1606500
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	36
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	37	Change-Id: Id1f86f41c1e6c028d889eca7ccbb9cde67631950
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	38	(cherry picked from commit eab9a33ce760c55695a5beb2e541487588b08c98)
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	39	---
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	40	heat/common/urlfetch.py \| 3 ++-
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	41	1 file changed, 2 insertions(+), 1 deletion(-)
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	42
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	43	diff --git a/heat/common/urlfetch.py b/heat/common/urlfetch.py
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	44	index 7efd968..8a7deae 100644
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	45	--- a/heat/common/urlfetch.py
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	46	+++ b/heat/common/urlfetch.py
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	47	@@ -75,4 +75,5 @@ def get(url, allowed_schemes=('http', 'https')):
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	48	return result
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	49
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	50	except exceptions.RequestException as ex:
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	51	- raise URLFetchError(_('Failed to retrieve template: %s') % ex)
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	52	+ LOG.info(_LI('Failed to retrieve template: %s') % ex)
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	53	+ raise URLFetchError(_('Failed to retrieve template from %s') % url)
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	54	--
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	55	1.9.1
8f50566e8278 25119382 problem in SERVICE/HEAT Drew Fisher <drew.fisher@oracle.com> parents: diff changeset	56

author	Drew Fisher <drew.fisher@oracle.com>
	Fri, 18 Nov 2016 07:32:35 -0800
changeset 7351	8f50566e8278
permissions	-rw-r--r--