Upstream patch from https://review.openstack.org/393148 to address
CVE-2016-9185

From 8c681f2641ab81410a8fb99bd76ec735ba3add1e Mon Sep 17 00:00:00 2001
From: Daniel Gonzalez <[email protected]>
Date: Mon, 17 Oct 2016 10:22:42 +0200
Subject: [PATCH] Prevent template validate from scanning ports

The template validation method in the heat API allows to specify the
template to validate using a URL with the 'template_url' parameter.

By entering invalid http URLs, like 'http://localhost:22' it is
possible to scan ports by evaluating the error message of the request.

For example, the request

curl -H "Content-Type: application/json" -H "X-Auth-Token: <TOKEN>" \
-X POST -d '{"template_url": "http://localhost:22"}' \
http://127.0.0.1:8004/v1/<TENANT_ID>/validate

causes the following error message to be returned to the user:

"Could not retrieve template: Failed to retrieve template:
('Connection aborted.',
BadStatusLine('SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1\\r\\n',))"

This could be misused by tenants to gain knowledge about the internal
network the heat API runs in.

To prevent this information leak, this patch alters the error message
to not include such details when the url scheme is not 'file'.

SecurityImpact

Closes-Bug: #1606500

Change-Id: Id1f86f41c1e6c028d889eca7ccbb9cde67631950
(cherry picked from commit eab9a33ce760c55695a5beb2e541487588b08c98)
---
 heat/common/urlfetch.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/heat/common/urlfetch.py b/heat/common/urlfetch.py
index 7efd968..8a7deae 100644
--- a/heat/common/urlfetch.py
+++ b/heat/common/urlfetch.py
@@ -75,4 +75,5 @@ def get(url, allowed_schemes=('http', 'https')):
         return result
 
     except exceptions.RequestException as ex:
-        raise URLFetchError(_('Failed to retrieve template: %s') % ex)
+        LOG.info(_LI('Failed to retrieve template: %s') % ex)
+        raise URLFetchError(_('Failed to retrieve template from %s') % url)
-- 
1.9.1