Mercurial Mercurial > upstream > oracle > userland-gate / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/openstack/nova/patches/16-cve-2017-7214.patch
changeset 7801 0dc67d04f8bb 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openstack/nova/patches/16-cve-2017-7214.patch	Thu Mar 23 08:04:21 2017 -0700
@@ -0,0 +1,69 @@
+Upstream patch to address CVE-2017-7214. We assume 'circural' below is
+a typo for 'circular' but we took the comment verbatim from upstream.
+
+From 305cdb38db47258909ef83d5918c7c85ef9d7a5b Mon Sep 17 00:00:00 2001
+From: Balazs Gibizer <[email protected]>
+Date: Fri, 17 Mar 2017 11:24:49 +0100
+Subject: [PATCH] do not include context to exception notification
+
+The wrap_exception decorator optionally emited a notification.
+Based on the code comments the original intention was not to include the
+context to that notification due to security reasons. However the
+implementation did included the context to the payload of the legacy
+notification.
+
+Recently we saw circural reference errors during the payload serialization
+of this notification. Based on the logs the only complex data structure
+that could cause circural reference is the context. So this patch
+removes the context from the legacy exception notification.
+
+The versioned exception notification is not affected as it does not
+contain the args of the decorated function.
+
+Conflicts:
+      nova/exception_wrapper.py
+      nova/tests/unit/test_exception.py
+
+NOTE(mriedem): The conflict is due to some refactor in Newton:
+6329d721ef326488d5d660e4f68febf563ed93ab
+
+Closes-Bug: #1673375
+Change-Id: I1d217620e52d45595a3e0e49ed57b4ab33cd1688
+(cherry picked from commit 3bf177a59cfd0b4e74dba256c3466ba2ea9bfbf7)
+(cherry picked from commit a8a1915456a86f504d23f215867da730d436fe33)
+(cherry picked from commit d0ee248bab6727555561c15998c58a0f11a5351b)
+---
+ nova/exception.py                 | 4 ++++
+ nova/tests/unit/test_exception.py | 1 +
+ 2 files changed, 5 insertions(+)
+
+diff --git a/nova/exception.py b/nova/exception.py
+index 40b82bf..848b0f0 100644
+--- a/nova/exception.py
++++ b/nova/exception.py
+@@ -97,6 +97,10 @@ def wrap_exception(notifier=None, get_notifier=None):
+                         # self can't be serialized and shouldn't be in the
+                         # payload
+                         call_dict.pop('self', None)
++                        # NOTE(gibi) remove context as well as it contains
++                        # sensitive information and it can also contain
++                        # circular references
++                        call_dict.pop('context', None)
+                         cleansed = _cleanse_dict(call_dict)
+                         payload.update({'args': cleansed})
+ 
+diff --git a/nova/tests/unit/test_exception.py b/nova/tests/unit/test_exception.py
+index 6a3b2b7..17f61ef 100644
+--- a/nova/tests/unit/test_exception.py
++++ b/nova/tests/unit/test_exception.py
+@@ -62,6 +62,7 @@ class WrapExceptionTestCase(test.NoDBTestCase):
+         self.assertEqual(3, notifier.provided_payload['args']['extra'])
+         for key in ['exception', 'args']:
+             self.assertIn(key, notifier.provided_payload.keys())
++        self.assertNotIn('context', notifier.provided_payload['args'].keys())
+ 
+ 
+ class NovaExceptionTestCase(test.NoDBTestCase):
+-- 
+1.9.1
+
upstream/oracle/userland-gate