Mercurial Mercurial > upstream > oracle > userland-gate / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
25119382 problem in SERVICE/HEAT
authorDrew Fisher <drew.fisher@oracle.com>
Fri, 18 Nov 2016 07:32:35 -0800
changeset 7351 8f50566e8278
parent 7350 7cd865fc284a
child 7352 a8f63c7198e5
25119382 problem in SERVICE/HEAT
components/openstack/heat/patches/09-cve-2016-9185.patch file | annotate | diff | comparison | revisions 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openstack/heat/patches/09-cve-2016-9185.patch	Fri Nov 18 07:32:35 2016 -0800
@@ -0,0 +1,56 @@
+Upstream patch from https://review.openstack.org/393148 to address
+CVE-2016-9185
+
+From 8c681f2641ab81410a8fb99bd76ec735ba3add1e Mon Sep 17 00:00:00 2001
+From: Daniel Gonzalez <[email protected]>
+Date: Mon, 17 Oct 2016 10:22:42 +0200
+Subject: [PATCH] Prevent template validate from scanning ports
+
+The template validation method in the heat API allows to specify the
+template to validate using a URL with the 'template_url' parameter.
+
+By entering invalid http URLs, like 'http://localhost:22' it is
+possible to scan ports by evaluating the error message of the request.
+
+For example, the request
+
+curl -H "Content-Type: application/json" -H "X-Auth-Token: <TOKEN>" \
+-X POST -d '{"template_url": "http://localhost:22"}' \
+http://127.0.0.1:8004/v1/<TENANT_ID>/validate
+
+causes the following error message to be returned to the user:
+
+"Could not retrieve template: Failed to retrieve template:
+('Connection aborted.',
+BadStatusLine('SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1\\r\\n',))"
+
+This could be misused by tenants to gain knowledge about the internal
+network the heat API runs in.
+
+To prevent this information leak, this patch alters the error message
+to not include such details when the url scheme is not 'file'.
+
+SecurityImpact
+
+Closes-Bug: #1606500
+
+Change-Id: Id1f86f41c1e6c028d889eca7ccbb9cde67631950
+(cherry picked from commit eab9a33ce760c55695a5beb2e541487588b08c98)
+---
+ heat/common/urlfetch.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/heat/common/urlfetch.py b/heat/common/urlfetch.py
+index 7efd968..8a7deae 100644
+--- a/heat/common/urlfetch.py
++++ b/heat/common/urlfetch.py
+@@ -75,4 +75,5 @@ def get(url, allowed_schemes=('http', 'https')):
+         return result
+ 
+     except exceptions.RequestException as ex:
+-        raise URLFetchError(_('Failed to retrieve template: %s') % ex)
++        LOG.info(_LI('Failed to retrieve template: %s') % ex)
++        raise URLFetchError(_('Failed to retrieve template from %s') % url)
+-- 
+1.9.1
+
upstream/oracle/userland-gate