|
1 Upstream patch to address CVE-2017-25922. |
|
2 |
|
3 https://launchpad.net/bugs/1628031 |
|
4 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2592 |
|
5 |
|
6 This patch can be removed when updating to a newer version which |
|
7 contains this fix. |
|
8 |
|
9 From ec073669a49267abcb0c1d776b9050342dac5a4a Mon Sep 17 00:00:00 2001 |
|
10 From: Jamie Lennox <[email protected]> |
|
11 Date: Wed, 28 Sep 2016 15:03:53 +1000 |
|
12 Subject: [PATCH] Filter token data out of catch_errors middleware |
|
13 |
|
14 If an exception is caught by the catch_errors middleware the entire |
|
15 request is dumped into the log including sensitive information like |
|
16 tokens. Filter that information before outputting the failed request. |
|
17 |
|
18 Closes-Bug: #1628031 |
|
19 Change-Id: I2563403993513c37751576223275350cac2e0937 |
|
20 --- |
|
21 oslo_middleware/catch_errors.py | 6 +++++- |
|
22 oslo_middleware/tests/test_catch_errors.py | 25 +++++++++++++++++++++++++ |
|
23 2 files changed, 30 insertions(+), 1 deletion(-) |
|
24 |
|
25 diff --git a/oslo_middleware/catch_errors.py b/oslo_middleware/catch_errors.py |
|
26 index 43d085f..0934fc5 100644 |
|
27 --- a/oslo_middleware/catch_errors.py |
|
28 +++ b/oslo_middleware/catch_errors.py |
|
29 @@ -14,6 +14,7 @@ |
|
30 # under the License. |
|
31 |
|
32 import logging |
|
33 +import re |
|
34 |
|
35 import webob.dec |
|
36 import webob.exc |
|
37 @@ -24,6 +25,8 @@ from oslo_middleware import base |
|
38 |
|
39 LOG = logging.getLogger(__name__) |
|
40 |
|
41 +_TOKEN_RE = re.compile('^(X-\w+-Token):.*$', flags=re.MULTILINE) |
|
42 + |
|
43 |
|
44 class CatchErrors(base.ConfigurableMiddleware): |
|
45 """Middleware that provides high-level error handling. |
|
46 @@ -37,7 +40,8 @@ class CatchErrors(base.ConfigurableMiddleware): |
|
47 try: |
|
48 response = req.get_response(self.application) |
|
49 except Exception: |
|
50 + req_str = _TOKEN_RE.sub(r'\1: <removed>', req.as_text()) |
|
51 LOG.exception(_LE('An error occurred during ' |
|
52 - 'processing the request: %s'), req) |
|
53 + 'processing the request: %s'), req_str) |
|
54 response = webob.exc.HTTPInternalServerError() |
|
55 return response |
|
56 diff --git a/oslo_middleware/tests/test_catch_errors.py b/oslo_middleware/tests/test_catch_errors.py |
|
57 index 920bbe2..0b675e2 100644 |
|
58 --- a/oslo_middleware/tests/test_catch_errors.py |
|
59 +++ b/oslo_middleware/tests/test_catch_errors.py |
|
60 @@ -13,6 +13,7 @@ |
|
61 # License for the specific language governing permissions and limitations |
|
62 # under the License. |
|
63 |
|
64 +import fixtures |
|
65 import mock |
|
66 from oslotest import base as test_base |
|
67 import webob.dec |
|
68 @@ -45,3 +46,27 @@ class CatchErrorsTest(test_base.BaseTestCase): |
|
69 self._test_has_request_id(application, |
|
70 webob.exc.HTTPInternalServerError.code) |
|
71 self.assertEqual(1, log_exc.call_count) |
|
72 + |
|
73 + def test_filter_tokens_from_log(self): |
|
74 + logger = self.useFixture(fixtures.FakeLogger(nuke_handlers=False)) |
|
75 + |
|
76 + @webob.dec.wsgify |
|
77 + def application(req): |
|
78 + raise Exception() |
|
79 + |
|
80 + app = catch_errors.CatchErrors(application) |
|
81 + req = webob.Request.blank('/test', |
|
82 + text=u'test data', |
|
83 + method='POST', |
|
84 + headers={'X-Auth-Token': 'secret1', |
|
85 + 'X-Service-Token': 'secret2', |
|
86 + 'X-Other-Token': 'secret3'}) |
|
87 + res = req.get_response(app) |
|
88 + self.assertEqual(500, res.status_int) |
|
89 + |
|
90 + output = logger.output |
|
91 + |
|
92 + self.assertIn('X-Auth-Token: <removed>', output) |
|
93 + self.assertIn('X-Service-Token: <removed>', output) |
|
94 + self.assertIn('X-Other-Token: <removed>', output) |
|
95 + self.assertIn('test data', output) |
|
96 -- |
|
97 1.9.1 |
|
98 |
|
99 |