|
1 This upstream patch addresses CVE-2015-1856 in Swift. It should be able |
|
2 to be removed when Swift 2.3.0 or later is integrated. |
|
3 |
|
4 From 85afe9316570855c87ea731d0627f6f8f2b73264 Mon Sep 17 00:00:00 2001 |
|
5 From: Alistair Coles <[email protected]> |
|
6 Date: Fri, 3 Apr 2015 17:05:36 +0100 |
|
7 Subject: Prevent unauthorized delete in versioned container |
|
8 |
|
9 An authenticated user can delete the most recent version of any |
|
10 versioned object who's name is known if the user has listing access |
|
11 to the x-versions-location container. Only Swift setups with |
|
12 allow_version setting are affected. |
|
13 |
|
14 This patch closes this bug, tracked as CVE-2015-1856. |
|
15 |
|
16 Co-Authored-By: Clay Gerrard <[email protected]> |
|
17 Co-Authored-By: Christian Schwede <[email protected]> |
|
18 Co-Authored-By: Alistair Coles <[email protected]> |
|
19 |
|
20 Closes-Bug: 1430645 |
|
21 |
|
22 Change-Id: I74448c12bc4d4cd07d4300f452cf3dd6f66ca70a |
|
23 |
|
24 --- swift-2.2.2/swift/proxy/controllers/obj.py.~1~ 2015-02-01 23:44:14.000000000 -0800 |
|
25 +++ swift-2.2.2/swift/proxy/controllers/obj.py 2015-04-14 13:55:21.015697631 -0700 |
|
26 @@ -772,6 +772,10 @@ class ObjectController(Controller): |
|
27 req.acl = container_info['write_acl'] |
|
28 req.environ['swift_sync_key'] = container_info['sync_key'] |
|
29 object_versions = container_info['versions'] |
|
30 + if 'swift.authorize' in req.environ: |
|
31 + aresp = req.environ['swift.authorize'](req) |
|
32 + if aresp: |
|
33 + return aresp |
|
34 if object_versions: |
|
35 # this is a version manifest and needs to be handled differently |
|
36 object_versions = unquote(object_versions) |
|
37 @@ -842,11 +846,11 @@ class ObjectController(Controller): |
|
38 # remove 'X-If-Delete-At', since it is not for the older copy |
|
39 if 'X-If-Delete-At' in req.headers: |
|
40 del req.headers['X-If-Delete-At'] |
|
41 + if 'swift.authorize' in req.environ: |
|
42 + aresp = req.environ['swift.authorize'](req) |
|
43 + if aresp: |
|
44 + return aresp |
|
45 break |
|
46 - if 'swift.authorize' in req.environ: |
|
47 - aresp = req.environ['swift.authorize'](req) |
|
48 - if aresp: |
|
49 - return aresp |
|
50 if not containers: |
|
51 return HTTPNotFound(request=req) |
|
52 partition, nodes = obj_ring.get_nodes( |
|
53 --- swift-2.2.2/test/functional/tests.py.~1~ 2015-02-01 23:44:11.000000000 -0800 |
|
54 +++ swift-2.2.2/test/functional/tests.py 2015-04-14 13:55:21.017140281 -0700 |
|
55 @@ -2407,6 +2407,14 @@ class TestObjectVersioningEnv(object): |
|
56 cls.account = Account(cls.conn, tf.config.get('account', |
|
57 tf.config['username'])) |
|
58 |
|
59 + # Second connection for ACL tests |
|
60 + config2 = deepcopy(tf.config) |
|
61 + config2['account'] = tf.config['account2'] |
|
62 + config2['username'] = tf.config['username2'] |
|
63 + config2['password'] = tf.config['password2'] |
|
64 + cls.conn2 = Connection(config2) |
|
65 + cls.conn2.authenticate() |
|
66 + |
|
67 # avoid getting a prefix that stops halfway through an encoded |
|
68 # character |
|
69 prefix = Utils.create_name().decode("utf-8")[:10].encode("utf-8") |
|
70 @@ -2460,6 +2468,14 @@ class TestCrossPolicyObjectVersioningEnv |
|
71 cls.account = Account(cls.conn, tf.config.get('account', |
|
72 tf.config['username'])) |
|
73 |
|
74 + # Second connection for ACL tests |
|
75 + config2 = deepcopy(tf.config) |
|
76 + config2['account'] = tf.config['account2'] |
|
77 + config2['username'] = tf.config['username2'] |
|
78 + config2['password'] = tf.config['password2'] |
|
79 + cls.conn2 = Connection(config2) |
|
80 + cls.conn2.authenticate() |
|
81 + |
|
82 # avoid getting a prefix that stops halfway through an encoded |
|
83 # character |
|
84 prefix = Utils.create_name().decode("utf-8")[:10].encode("utf-8") |
|
85 @@ -2494,6 +2510,15 @@ class TestObjectVersioning(Base): |
|
86 "Expected versioning_enabled to be True/False, got %r" % |
|
87 (self.env.versioning_enabled,)) |
|
88 |
|
89 + def tearDown(self): |
|
90 + super(TestObjectVersioning, self).tearDown() |
|
91 + try: |
|
92 + # delete versions first! |
|
93 + self.env.versions_container.delete_files() |
|
94 + self.env.container.delete_files() |
|
95 + except ResponseError: |
|
96 + pass |
|
97 + |
|
98 def test_overwriting(self): |
|
99 container = self.env.container |
|
100 versions_container = self.env.versions_container |
|
101 @@ -2553,6 +2578,33 @@ class TestObjectVersioning(Base): |
|
102 self.assertEqual(3, versions_container.info()['object_count']) |
|
103 self.assertEqual("112233", man_file.read()) |
|
104 |
|
105 + def test_versioning_check_acl(self): |
|
106 + container = self.env.container |
|
107 + versions_container = self.env.versions_container |
|
108 + versions_container.create(hdrs={'X-Container-Read': '.r:*,.rlistings'}) |
|
109 + |
|
110 + obj_name = Utils.create_name() |
|
111 + versioned_obj = container.file(obj_name) |
|
112 + versioned_obj.write("aaaaa") |
|
113 + self.assertEqual("aaaaa", versioned_obj.read()) |
|
114 + |
|
115 + versioned_obj.write("bbbbb") |
|
116 + self.assertEqual("bbbbb", versioned_obj.read()) |
|
117 + |
|
118 + # Use token from second account and try to delete the object |
|
119 + org_token = self.env.account.conn.storage_token |
|
120 + self.env.account.conn.storage_token = self.env.conn2.storage_token |
|
121 + try: |
|
122 + self.assertRaises(ResponseError, versioned_obj.delete) |
|
123 + finally: |
|
124 + self.env.account.conn.storage_token = org_token |
|
125 + |
|
126 + # Verify with token from first account |
|
127 + self.assertEqual("bbbbb", versioned_obj.read()) |
|
128 + |
|
129 + versioned_obj.delete() |
|
130 + self.assertEqual("aaaaa", versioned_obj.read()) |
|
131 + |
|
132 |
|
133 class TestObjectVersioningUTF8(Base2, TestObjectVersioning): |
|
134 set_up = False |
|
135 --- swift-2.2.2/test/unit/proxy/test_server.py.~1~ 2015-02-01 23:44:11.000000000 -0800 |
|
136 +++ swift-2.2.2/test/unit/proxy/test_server.py 2015-04-14 13:55:21.019825997 -0700 |
|
137 @@ -56,7 +56,7 @@ from swift.proxy.controllers.base import |
|
138 get_account_memcache_key, cors_validation |
|
139 import swift.proxy.controllers |
|
140 from swift.common.swob import Request, Response, HTTPUnauthorized, \ |
|
141 - HTTPException |
|
142 + HTTPException, HTTPForbidden |
|
143 from swift.common import storage_policy |
|
144 from swift.common.storage_policy import StoragePolicy, \ |
|
145 StoragePolicyCollection, POLICIES |
|
146 @@ -1609,6 +1609,7 @@ class TestObjectController(unittest.Test |
|
147 ]) |
|
148 def test_DELETE_on_expired_versioned_object(self): |
|
149 methods = set() |
|
150 + authorize_call_count = [0] |
|
151 |
|
152 def test_connect(ipaddr, port, device, partition, method, path, |
|
153 headers=None, query_string=None): |
|
154 @@ -1634,6 +1635,10 @@ class TestObjectController(unittest.Test |
|
155 for obj in object_list: |
|
156 yield obj |
|
157 |
|
158 + def fake_authorize(req): |
|
159 + authorize_call_count[0] += 1 |
|
160 + return None # allow the request |
|
161 + |
|
162 with save_globals(): |
|
163 controller = proxy_server.ObjectController(self.app, |
|
164 'a', 'c', 'o') |
|
165 @@ -1645,7 +1650,8 @@ class TestObjectController(unittest.Test |
|
166 204, 204, 204, # delete for the pre-previous |
|
167 give_connect=test_connect) |
|
168 req = Request.blank('/v1/a/c/o', |
|
169 - environ={'REQUEST_METHOD': 'DELETE'}) |
|
170 + environ={'REQUEST_METHOD': 'DELETE', |
|
171 + 'swift.authorize': fake_authorize}) |
|
172 |
|
173 self.app.memcache.store = {} |
|
174 self.app.update_request(req) |
|
175 @@ -1655,6 +1661,67 @@ class TestObjectController(unittest.Test |
|
176 ('PUT', '/a/c/o'), |
|
177 ('DELETE', '/a/foo/2')] |
|
178 self.assertEquals(set(exp_methods), (methods)) |
|
179 + self.assertEquals(authorize_call_count[0], 2) |
|
180 + |
|
181 + @patch_policies([ |
|
182 + StoragePolicy(0, 'zero', False, object_ring=FakeRing()), |
|
183 + StoragePolicy(1, 'one', True, object_ring=FakeRing()) |
|
184 + ]) |
|
185 + def test_denied_DELETE_of_versioned_object(self): |
|
186 + """ |
|
187 + Verify that a request with read access to a versions container |
|
188 + is unable to cause any write operations on the versioned container. |
|
189 + """ |
|
190 + methods = set() |
|
191 + authorize_call_count = [0] |
|
192 + |
|
193 + def test_connect(ipaddr, port, device, partition, method, path, |
|
194 + headers=None, query_string=None): |
|
195 + methods.add((method, path)) |
|
196 + |
|
197 + def fake_container_info(account, container, req): |
|
198 + return {'status': 200, 'sync_key': None, |
|
199 + 'meta': {}, 'cors': {'allow_origin': None, |
|
200 + 'expose_headers': None, |
|
201 + 'max_age': None}, |
|
202 + 'sysmeta': {}, 'read_acl': None, 'object_count': None, |
|
203 + 'write_acl': None, 'versions': 'foo', |
|
204 + 'partition': 1, 'bytes': None, 'storage_policy': '1', |
|
205 + 'nodes': [{'zone': 0, 'ip': '10.0.0.0', 'region': 0, |
|
206 + 'id': 0, 'device': 'sda', 'port': 1000}, |
|
207 + {'zone': 1, 'ip': '10.0.0.1', 'region': 1, |
|
208 + 'id': 1, 'device': 'sdb', 'port': 1001}, |
|
209 + {'zone': 2, 'ip': '10.0.0.2', 'region': 0, |
|
210 + 'id': 2, 'device': 'sdc', 'port': 1002}]} |
|
211 + |
|
212 + def fake_list_iter(container, prefix, env): |
|
213 + object_list = [{'name': '1'}, {'name': '2'}, {'name': '3'}] |
|
214 + for obj in object_list: |
|
215 + yield obj |
|
216 + |
|
217 + def fake_authorize(req): |
|
218 + # deny write access |
|
219 + authorize_call_count[0] += 1 |
|
220 + return HTTPForbidden(req) # allow the request |
|
221 + |
|
222 + with save_globals(): |
|
223 + controller = proxy_server.ObjectController(self.app, |
|
224 + 'a', 'c', 'o') |
|
225 + controller.container_info = fake_container_info |
|
226 + # patching _listing_iter simulates request being authorized |
|
227 + # to list versions container |
|
228 + controller._listing_iter = fake_list_iter |
|
229 + set_http_connect(give_connect=test_connect) |
|
230 + req = Request.blank('/v1/a/c/o', |
|
231 + environ={'REQUEST_METHOD': 'DELETE', |
|
232 + 'swift.authorize': fake_authorize}) |
|
233 + |
|
234 + self.app.memcache.store = {} |
|
235 + self.app.update_request(req) |
|
236 + resp = controller.DELETE(req) |
|
237 + self.assertEqual(403, resp.status_int) |
|
238 + self.assertFalse(methods, methods) |
|
239 + self.assertEquals(authorize_call_count[0], 1) |
|
240 |
|
241 def test_PUT_auto_content_type(self): |
|
242 with save_globals(): |