1 This upstream patch addresses CVE-2015-1856 in Swift. It should be able

     2 to be removed when Swift 2.3.0 or later is integrated.

     3 

     4 From 85afe9316570855c87ea731d0627f6f8f2b73264 Mon Sep 17 00:00:00 2001

     5 From: Alistair Coles <[email protected]>

     6 Date: Fri, 3 Apr 2015 17:05:36 +0100

     7 Subject: Prevent unauthorized delete in versioned container

     8 

     9 An authenticated user can delete the most recent version of any

    10 versioned object who's name is known if the user has listing access

    11 to the x-versions-location container. Only Swift setups with

    12 allow_version setting are affected.

    13 

    14 This patch closes this bug, tracked as CVE-2015-1856.

    15 

    16 Co-Authored-By: Clay Gerrard <[email protected]>

    17 Co-Authored-By: Christian Schwede <[email protected]>

    18 Co-Authored-By: Alistair Coles <[email protected]>

    19 

    20 Closes-Bug: 1430645

    21 

    22 Change-Id: I74448c12bc4d4cd07d4300f452cf3dd6f66ca70a

    23 

    24 --- swift-2.2.2/swift/proxy/controllers/obj.py.~1~	2015-02-01 23:44:14.000000000 -0800

    25 +++ swift-2.2.2/swift/proxy/controllers/obj.py	2015-04-14 13:55:21.015697631 -0700

    26 @@ -772,6 +772,10 @@ class ObjectController(Controller):

    27          req.acl = container_info['write_acl']

    28          req.environ['swift_sync_key'] = container_info['sync_key']

    29          object_versions = container_info['versions']

    30 +        if 'swift.authorize' in req.environ:

    31 +            aresp = req.environ['swift.authorize'](req)

    32 +            if aresp:

    33 +                return aresp

    34          if object_versions:

    35              # this is a version manifest and needs to be handled differently

    36              object_versions = unquote(object_versions)

    37 @@ -842,11 +846,11 @@ class ObjectController(Controller):

    38                  # remove 'X-If-Delete-At', since it is not for the older copy

    39                  if 'X-If-Delete-At' in req.headers:

    40                      del req.headers['X-If-Delete-At']

    41 +                if 'swift.authorize' in req.environ:

    42 +                    aresp = req.environ['swift.authorize'](req)

    43 +                    if aresp:

    44 +                        return aresp

    45                  break

    46 -        if 'swift.authorize' in req.environ:

    47 -            aresp = req.environ['swift.authorize'](req)

    48 -            if aresp:

    49 -                return aresp

    50          if not containers:

    51              return HTTPNotFound(request=req)

    52          partition, nodes = obj_ring.get_nodes(

    53 --- swift-2.2.2/test/functional/tests.py.~1~	2015-02-01 23:44:11.000000000 -0800

    54 +++ swift-2.2.2/test/functional/tests.py	2015-04-14 13:55:21.017140281 -0700

    55 @@ -2407,6 +2407,14 @@ class TestObjectVersioningEnv(object):

    56          cls.account = Account(cls.conn, tf.config.get('account',

    57                                                        tf.config['username']))

    58  

    59 +        # Second connection for ACL tests

    60 +        config2 = deepcopy(tf.config)

    61 +        config2['account'] = tf.config['account2']

    62 +        config2['username'] = tf.config['username2']

    63 +        config2['password'] = tf.config['password2']

    64 +        cls.conn2 = Connection(config2)

    65 +        cls.conn2.authenticate()

    66 +

    67          # avoid getting a prefix that stops halfway through an encoded

    68          # character

    69          prefix = Utils.create_name().decode("utf-8")[:10].encode("utf-8")

    70 @@ -2460,6 +2468,14 @@ class TestCrossPolicyObjectVersioningEnv

    71          cls.account = Account(cls.conn, tf.config.get('account',

    72                                                        tf.config['username']))

    73  

    74 +        # Second connection for ACL tests

    75 +        config2 = deepcopy(tf.config)

    76 +        config2['account'] = tf.config['account2']

    77 +        config2['username'] = tf.config['username2']

    78 +        config2['password'] = tf.config['password2']

    79 +        cls.conn2 = Connection(config2)

    80 +        cls.conn2.authenticate()

    81 +

    82          # avoid getting a prefix that stops halfway through an encoded

    83          # character

    84          prefix = Utils.create_name().decode("utf-8")[:10].encode("utf-8")

    85 @@ -2494,6 +2510,15 @@ class TestObjectVersioning(Base):

    86                  "Expected versioning_enabled to be True/False, got %r" %

    87                  (self.env.versioning_enabled,))

    88  

    89 +    def tearDown(self):

    90 +        super(TestObjectVersioning, self).tearDown()

    91 +        try:

    92 +            # delete versions first!

    93 +            self.env.versions_container.delete_files()

    94 +            self.env.container.delete_files()

    95 +        except ResponseError:

    96 +            pass

    97 +

    98      def test_overwriting(self):

    99          container = self.env.container

   100          versions_container = self.env.versions_container

   101 @@ -2553,6 +2578,33 @@ class TestObjectVersioning(Base):

   102          self.assertEqual(3, versions_container.info()['object_count'])

   103          self.assertEqual("112233", man_file.read())

   104  

   105 +    def test_versioning_check_acl(self):

   106 +        container = self.env.container

   107 +        versions_container = self.env.versions_container

   108 +        versions_container.create(hdrs={'X-Container-Read': '.r:*,.rlistings'})

   109 +

   110 +        obj_name = Utils.create_name()

   111 +        versioned_obj = container.file(obj_name)

   112 +        versioned_obj.write("aaaaa")

   113 +        self.assertEqual("aaaaa", versioned_obj.read())

   114 +

   115 +        versioned_obj.write("bbbbb")

   116 +        self.assertEqual("bbbbb", versioned_obj.read())

   117 +

   118 +        # Use token from second account and try to delete the object

   119 +        org_token = self.env.account.conn.storage_token

   120 +        self.env.account.conn.storage_token = self.env.conn2.storage_token

   121 +        try:

   122 +            self.assertRaises(ResponseError, versioned_obj.delete)

   123 +        finally:

   124 +            self.env.account.conn.storage_token = org_token

   125 +

   126 +        # Verify with token from first account

   127 +        self.assertEqual("bbbbb", versioned_obj.read())

   128 +

   129 +        versioned_obj.delete()

   130 +        self.assertEqual("aaaaa", versioned_obj.read())

   131 +

   132  

   133  class TestObjectVersioningUTF8(Base2, TestObjectVersioning):

   134      set_up = False

   135 --- swift-2.2.2/test/unit/proxy/test_server.py.~1~	2015-02-01 23:44:11.000000000 -0800

   136 +++ swift-2.2.2/test/unit/proxy/test_server.py	2015-04-14 13:55:21.019825997 -0700

   137 @@ -56,7 +56,7 @@ from swift.proxy.controllers.base import

   138      get_account_memcache_key, cors_validation

   139  import swift.proxy.controllers

   140  from swift.common.swob import Request, Response, HTTPUnauthorized, \

   141 -    HTTPException

   142 +    HTTPException, HTTPForbidden

   143  from swift.common import storage_policy

   144  from swift.common.storage_policy import StoragePolicy, \

   145      StoragePolicyCollection, POLICIES

   146 @@ -1609,6 +1609,7 @@ class TestObjectController(unittest.Test

   147      ])

   148      def test_DELETE_on_expired_versioned_object(self):

   149          methods = set()

   150 +        authorize_call_count = [0]

   151  

   152          def test_connect(ipaddr, port, device, partition, method, path,

   153                           headers=None, query_string=None):

   154 @@ -1634,6 +1635,10 @@ class TestObjectController(unittest.Test

   155              for obj in object_list:

   156                  yield obj

   157  

   158 +        def fake_authorize(req):

   159 +            authorize_call_count[0] += 1

   160 +            return None  # allow the request

   161 +

   162          with save_globals():

   163              controller = proxy_server.ObjectController(self.app,

   164                                                         'a', 'c', 'o')

   165 @@ -1645,7 +1650,8 @@ class TestObjectController(unittest.Test

   166                               204, 204, 204,  # delete for the pre-previous

   167                               give_connect=test_connect)

   168              req = Request.blank('/v1/a/c/o',

   169 -                                environ={'REQUEST_METHOD': 'DELETE'})

   170 +                                environ={'REQUEST_METHOD': 'DELETE',

   171 +                                         'swift.authorize': fake_authorize})

   172  

   173              self.app.memcache.store = {}

   174              self.app.update_request(req)

   175 @@ -1655,6 +1661,67 @@ class TestObjectController(unittest.Test

   176                             ('PUT', '/a/c/o'),

   177                             ('DELETE', '/a/foo/2')]

   178              self.assertEquals(set(exp_methods), (methods))

   179 +            self.assertEquals(authorize_call_count[0], 2)

   180 +

   181 +    @patch_policies([

   182 +        StoragePolicy(0, 'zero', False, object_ring=FakeRing()),

   183 +        StoragePolicy(1, 'one', True, object_ring=FakeRing())

   184 +    ])

   185 +    def test_denied_DELETE_of_versioned_object(self):

   186 +        """

   187 +        Verify that a request with read access to a versions container

   188 +        is unable to cause any write operations on the versioned container.

   189 +        """

   190 +        methods = set()

   191 +        authorize_call_count = [0]

   192 +

   193 +        def test_connect(ipaddr, port, device, partition, method, path,

   194 +                         headers=None, query_string=None):

   195 +            methods.add((method, path))

   196 +

   197 +        def fake_container_info(account, container, req):

   198 +            return {'status': 200, 'sync_key': None,

   199 +                    'meta': {}, 'cors': {'allow_origin': None,

   200 +                                         'expose_headers': None,

   201 +                                         'max_age': None},

   202 +                    'sysmeta': {}, 'read_acl': None, 'object_count': None,

   203 +                    'write_acl': None, 'versions': 'foo',

   204 +                    'partition': 1, 'bytes': None, 'storage_policy': '1',

   205 +                    'nodes': [{'zone': 0, 'ip': '10.0.0.0', 'region': 0,

   206 +                               'id': 0, 'device': 'sda', 'port': 1000},

   207 +                              {'zone': 1, 'ip': '10.0.0.1', 'region': 1,

   208 +                               'id': 1, 'device': 'sdb', 'port': 1001},

   209 +                              {'zone': 2, 'ip': '10.0.0.2', 'region': 0,

   210 +                               'id': 2, 'device': 'sdc', 'port': 1002}]}

   211 +

   212 +        def fake_list_iter(container, prefix, env):

   213 +            object_list = [{'name': '1'}, {'name': '2'}, {'name': '3'}]

   214 +            for obj in object_list:

   215 +                yield obj

   216 +

   217 +        def fake_authorize(req):

   218 +            # deny write access

   219 +            authorize_call_count[0] += 1

   220 +            return HTTPForbidden(req)  # allow the request

   221 +

   222 +        with save_globals():

   223 +            controller = proxy_server.ObjectController(self.app,

   224 +                                                       'a', 'c', 'o')

   225 +            controller.container_info = fake_container_info

   226 +            # patching _listing_iter simulates request being authorized

   227 +            # to list versions container

   228 +            controller._listing_iter = fake_list_iter

   229 +            set_http_connect(give_connect=test_connect)

   230 +            req = Request.blank('/v1/a/c/o',

   231 +                                environ={'REQUEST_METHOD': 'DELETE',

   232 +                                         'swift.authorize': fake_authorize})

   233 +

   234 +            self.app.memcache.store = {}

   235 +            self.app.update_request(req)

   236 +            resp = controller.DELETE(req)

   237 +            self.assertEqual(403, resp.status_int)

   238 +            self.assertFalse(methods, methods)

   239 +            self.assertEquals(authorize_call_count[0], 1)

   240  

   241      def test_PUT_auto_content_type(self):

   242          with save_globals():