1 This proposed upstream patch addresses CVE-2014-0006 and is tracked |
|
2 under Launchpad bug 1265665. Although it's been addressed in 1.12.0, |
|
3 the patch below is still not yet released for 1.10.0. |
|
4 |
|
5 commit b2c61375b3255486adb2900922a894dc7dad3c6d |
|
6 Author: Samuel Merritt <[email protected]> |
|
7 Date: Thu Jan 16 13:44:23 2014 +0100 |
|
8 |
|
9 Use constant time comparison in tempURL |
|
10 |
|
11 Use constant time comparison when evaluating tempURL to avoid timing |
|
12 attacks (CVE-2014-0006). This is the havana backport of the master |
|
13 patch. |
|
14 |
|
15 Fixes bug 1265665 |
|
16 |
|
17 Change-Id: I11e4ad83cc4077e52adf54a0bd0f9749294b2a48 |
|
18 |
|
19 diff --git a/swift/common/middleware/tempurl.py b/swift/common/middleware/tempurl.py |
|
20 index ffc1431..ae2f4a1 100644 |
|
21 --- a/swift/common/middleware/tempurl.py |
|
22 +++ b/swift/common/middleware/tempurl.py |
|
23 @@ -98,7 +98,7 @@ from urlparse import parse_qs |
|
24 |
|
25 from swift.proxy.controllers.base import get_account_info |
|
26 from swift.common.swob import HeaderKeyDict |
|
27 -from swift.common.utils import split_path |
|
28 +from swift.common.utils import split_path, streq_const_time |
|
29 |
|
30 |
|
31 #: Default headers to remove from incoming requests. Simply a whitespace |
|
32 @@ -267,17 +267,20 @@ class TempURL(object): |
|
33 if not keys: |
|
34 return self._invalid(env, start_response) |
|
35 if env['REQUEST_METHOD'] == 'HEAD': |
|
36 - hmac_vals = self._get_hmacs(env, temp_url_expires, keys, |
|
37 - request_method='GET') |
|
38 - if temp_url_sig not in hmac_vals: |
|
39 - hmac_vals = self._get_hmacs(env, temp_url_expires, keys, |
|
40 - request_method='PUT') |
|
41 - if temp_url_sig not in hmac_vals: |
|
42 - return self._invalid(env, start_response) |
|
43 + hmac_vals = (self._get_hmacs(env, temp_url_expires, keys, |
|
44 + request_method='GET') + |
|
45 + self._get_hmacs(env, temp_url_expires, keys, |
|
46 + request_method='PUT')) |
|
47 else: |
|
48 hmac_vals = self._get_hmacs(env, temp_url_expires, keys) |
|
49 - if temp_url_sig not in hmac_vals: |
|
50 - return self._invalid(env, start_response) |
|
51 + |
|
52 + # While it's true that any() will short-circuit, this doesn't affect |
|
53 + # the timing-attack resistance since the only way this will |
|
54 + # short-circuit is when a valid signature is passed in. |
|
55 + is_valid_hmac = any(streq_const_time(temp_url_sig, h) |
|
56 + for h in hmac_vals) |
|
57 + if not is_valid_hmac: |
|
58 + return self._invalid(env, start_response) |
|
59 self._clean_incoming_headers(env) |
|
60 env['swift.authorize'] = lambda req: None |
|
61 env['swift.authorize_override'] = True |
|