# HG changeset patch # User Drew Fisher # Date 1486334355 28800 # Node ID 52890fa470218e0fb8ed8c6addf620c1bee09257 # Parent 24dba977beb77c34ec97a58fba1c3b872cf31a30 25501183 problem in PYTHON-MOD/OSLO.MIDDLEWAR diff -r 24dba977beb7 -r 52890fa47021 components/python/oslo.middleware/patches/cve-2017-2592.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/python/oslo.middleware/patches/cve-2017-2592.patch Sun Feb 05 14:39:15 2017 -0800 @@ -0,0 +1,99 @@ +Upstream patch to address CVE-2017-25922. + +https://launchpad.net/bugs/1628031 +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2592 + +This patch can be removed when updating to a newer version which +contains this fix. + +From ec073669a49267abcb0c1d776b9050342dac5a4a Mon Sep 17 00:00:00 2001 +From: Jamie Lennox +Date: Wed, 28 Sep 2016 15:03:53 +1000 +Subject: [PATCH] Filter token data out of catch_errors middleware + +If an exception is caught by the catch_errors middleware the entire +request is dumped into the log including sensitive information like +tokens. Filter that information before outputting the failed request. + +Closes-Bug: #1628031 +Change-Id: I2563403993513c37751576223275350cac2e0937 +--- + oslo_middleware/catch_errors.py | 6 +++++- + oslo_middleware/tests/test_catch_errors.py | 25 +++++++++++++++++++++++++ + 2 files changed, 30 insertions(+), 1 deletion(-) + +diff --git a/oslo_middleware/catch_errors.py b/oslo_middleware/catch_errors.py +index 43d085f..0934fc5 100644 +--- a/oslo_middleware/catch_errors.py ++++ b/oslo_middleware/catch_errors.py +@@ -14,6 +14,7 @@ + # under the License. + + import logging ++import re + + import webob.dec + import webob.exc +@@ -24,6 +25,8 @@ from oslo_middleware import base + + LOG = logging.getLogger(__name__) + ++_TOKEN_RE = re.compile('^(X-\w+-Token):.*$', flags=re.MULTILINE) ++ + + class CatchErrors(base.ConfigurableMiddleware): + """Middleware that provides high-level error handling. +@@ -37,7 +40,8 @@ class CatchErrors(base.ConfigurableMiddleware): + try: + response = req.get_response(self.application) + except Exception: ++ req_str = _TOKEN_RE.sub(r'\1: ', req.as_text()) + LOG.exception(_LE('An error occurred during ' +- 'processing the request: %s'), req) ++ 'processing the request: %s'), req_str) + response = webob.exc.HTTPInternalServerError() + return response +diff --git a/oslo_middleware/tests/test_catch_errors.py b/oslo_middleware/tests/test_catch_errors.py +index 920bbe2..0b675e2 100644 +--- a/oslo_middleware/tests/test_catch_errors.py ++++ b/oslo_middleware/tests/test_catch_errors.py +@@ -13,6 +13,7 @@ + # License for the specific language governing permissions and limitations + # under the License. + ++import fixtures + import mock + from oslotest import base as test_base + import webob.dec +@@ -45,3 +46,27 @@ class CatchErrorsTest(test_base.BaseTestCase): + self._test_has_request_id(application, + webob.exc.HTTPInternalServerError.code) + self.assertEqual(1, log_exc.call_count) ++ ++ def test_filter_tokens_from_log(self): ++ logger = self.useFixture(fixtures.FakeLogger(nuke_handlers=False)) ++ ++ @webob.dec.wsgify ++ def application(req): ++ raise Exception() ++ ++ app = catch_errors.CatchErrors(application) ++ req = webob.Request.blank('/test', ++ text=u'test data', ++ method='POST', ++ headers={'X-Auth-Token': 'secret1', ++ 'X-Service-Token': 'secret2', ++ 'X-Other-Token': 'secret3'}) ++ res = req.get_response(app) ++ self.assertEqual(500, res.status_int) ++ ++ output = logger.output ++ ++ self.assertIn('X-Auth-Token: ', output) ++ self.assertIn('X-Service-Token: ', output) ++ self.assertIn('X-Other-Token: ', output) ++ self.assertIn('test data', output) +-- +1.9.1 + +