# HG changeset patch # User Drew Fisher # Date 1479483155 28800 # Node ID 8f50566e82783b6ac7f14c4311d0392df4c50a16 # Parent 7cd865fc284aa1900fe4cbcfaed63a1b1be71a1b 25119382 problem in SERVICE/HEAT diff -r 7cd865fc284a -r 8f50566e8278 components/openstack/heat/patches/09-cve-2016-9185.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/openstack/heat/patches/09-cve-2016-9185.patch Fri Nov 18 07:32:35 2016 -0800 @@ -0,0 +1,56 @@ +Upstream patch from https://review.openstack.org/393148 to address +CVE-2016-9185 + +From 8c681f2641ab81410a8fb99bd76ec735ba3add1e Mon Sep 17 00:00:00 2001 +From: Daniel Gonzalez +Date: Mon, 17 Oct 2016 10:22:42 +0200 +Subject: [PATCH] Prevent template validate from scanning ports + +The template validation method in the heat API allows to specify the +template to validate using a URL with the 'template_url' parameter. + +By entering invalid http URLs, like 'http://localhost:22' it is +possible to scan ports by evaluating the error message of the request. + +For example, the request + +curl -H "Content-Type: application/json" -H "X-Auth-Token: " \ +-X POST -d '{"template_url": "http://localhost:22"}' \ +http://127.0.0.1:8004/v1//validate + +causes the following error message to be returned to the user: + +"Could not retrieve template: Failed to retrieve template: +('Connection aborted.', +BadStatusLine('SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1\\r\\n',))" + +This could be misused by tenants to gain knowledge about the internal +network the heat API runs in. + +To prevent this information leak, this patch alters the error message +to not include such details when the url scheme is not 'file'. + +SecurityImpact + +Closes-Bug: #1606500 + +Change-Id: Id1f86f41c1e6c028d889eca7ccbb9cde67631950 +(cherry picked from commit eab9a33ce760c55695a5beb2e541487588b08c98) +--- + heat/common/urlfetch.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/heat/common/urlfetch.py b/heat/common/urlfetch.py +index 7efd968..8a7deae 100644 +--- a/heat/common/urlfetch.py ++++ b/heat/common/urlfetch.py +@@ -75,4 +75,5 @@ def get(url, allowed_schemes=('http', 'https')): + return result + + except exceptions.RequestException as ex: +- raise URLFetchError(_('Failed to retrieve template: %s') % ex) ++ LOG.info(_LI('Failed to retrieve template: %s') % ex) ++ raise URLFetchError(_('Failed to retrieve template from %s') % url) +-- +1.9.1 +