|
1 This patch addresses CVE-2014-7821 and is tracked under Launchpad bug |
|
2 1378450. It is addressed in the stable/Juno and stable/Icehouse. There |
|
3 is no patch for Havana since it is EOL'ed by upstream. Therefore, this |
|
4 patch is derived from the patch for stable/Icehouse |
|
5 |
|
6 commit ab7ea069de5cecf1c26af50996a26e1a7f86def4 |
|
7 Author: John Perkins <email address hidden> |
|
8 Date: Mon Oct 6 16:24:57 2014 -0500 |
|
9 |
|
10 Fix hostname regex pattern |
|
11 |
|
12 Current hostname_pattern regex complexity grows exponentially |
|
13 when given a string of just digits, which can be exploited to |
|
14 cause neutron-server to freeze. |
|
15 |
|
16 Change-Id: I886c6d883a9cb0acd9908495eec50bf0411d8ba8 |
|
17 Closes-bug: #1378450 |
|
18 |
|
19 *** neutron-2013.2.3/neutron/api/v2/attributes.py 2014-04-03 11:49:01.000000000 -0700 |
|
20 --- NEW/neutron/api/v2/attributes.py 2014-11-19 22:04:06.880132434 -0800 |
|
21 *************** |
|
22 *** 494,501 **** |
|
23 return [data] |
|
24 |
|
25 |
|
26 ! HOSTNAME_PATTERN = ("(?=^.{1,254}$)(^(?:(?!\d+\.|-)[a-zA-Z0-9_\-]" |
|
27 ! "{1,63}(?<!-)\.?)+(?:[a-zA-Z]{2,})$)") |
|
28 |
|
29 HEX_ELEM = '[0-9A-Fa-f]' |
|
30 UUID_PATTERN = '-'.join([HEX_ELEM + '{8}', HEX_ELEM + '{4}', |
|
31 --- 494,501 ---- |
|
32 return [data] |
|
33 |
|
34 |
|
35 ! HOSTNAME_PATTERN = ("(?=^.{1,254}$)(^(?:(?!\d+.|-)[a-zA-Z0-9_\-]{1,62}" |
|
36 ! "[a-zA-Z0-9]\.?)+(?:[a-zA-Z]{2,})$)") |
|
37 |
|
38 HEX_ELEM = '[0-9A-Fa-f]' |
|
39 UUID_PATTERN = '-'.join([HEX_ELEM + '{8}', HEX_ELEM + '{4}', |
|
40 *** neutron-2013.2.3/neutron/tests/unit/test_attributes.py 2014-04-03 11:49:01.000000000 -0700 |
|
41 --- NEW/neutron/tests/unit/test_attributes.py 2014-11-19 22:15:26.539566055 -0800 |
|
42 *************** |
|
43 *** 246,251 **** |
|
44 --- 246,252 ---- |
|
45 ['www.hostname.com', 'www.hostname.com'], |
|
46 ['77.hostname.com'], |
|
47 ['1000.0.0.1'], |
|
48 + ['111111111111111111111111111111111111111111111111111111111111'], # noqa |
|
49 None] |
|
50 |
|
51 for ns in ns_pools: |