public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed
From: "Ian Delaney (idella4)" <idella4@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] gentoo-x86 commit in sys-cluster/swift/files: CVE-2014-3497-1.13.patch
Date: Tue, 24 Jun 2014 09:49:27 +0000 (UTC)	[thread overview]
Message-ID: <20140624094927.344F22004E@flycatcher.gentoo.org> (raw)

idella4     14/06/24 09:49:27

  Added:                CVE-2014-3497-1.13.patch
  Log:
  revbump; add sec. patch wrt Bug #513864
  
  (Portage version: 2.2.10/cvs/Linux x86_64, signed Manifest commit with key 0xB8072B0D)

Revision  Changes    Path
1.1                  sys-cluster/swift/files/CVE-2014-3497-1.13.patch

file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-cluster/swift/files/CVE-2014-3497-1.13.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-cluster/swift/files/CVE-2014-3497-1.13.patch?rev=1.1&content-type=text/plain

Index: CVE-2014-3497-1.13.patch
===================================================================
https://review.openstack.org/gitweb?p=openstack%2Fswift.git;a=commitdiff;h=b223322ed1ef44f61490f820240aa01f1047ae2e
author	John Dickinson <me@not.mn>	
	Sat, 7 Jun 2014 02:46:41 +0800 (11:46 -0700)
committer	John Dickinson <me@not.mn>	
	Thu, 19 Jun 2014 06:28:33 +0800 (15:28 -0700)
HTTP header values should be quoted. Since the WWW-Authenticate
header value contains user-supplied strings, it's important to
ensure it's properly quoted to ensure the integrity of the protocol.

Previous to this patch, the URL was unquoted and then the unquoted
value was returned in the header. This patch re-quotes the value
when it is set on the response.

This is filed as CVS-2014-3497

Fixes bug 1327414

Change-Id: If8bd8842f2ce821756e9b4461a18a8ac8d42fb8c
diff --git a/swift/common/swob.py b/swift/common/swob.py
index 638086e..f4f38c7 100644 (file)
--- a/swift/common/swob.py
+++ b/swift/common/swob.py
@@ -1203,7 +1203,7 @@ class Response(object):
                 realm = 'unknown'
         except (AttributeError, ValueError):
             realm = 'unknown'
-        return 'Swift realm="%s"' % realm
+        return 'Swift realm="%s"' % urllib2.quote(realm)
 
     @property
     def is_success(self):
diff --git a/test/functional/tests.py b/test/functional/tests.py
index ad8c398..7983815 100644 (file)
--- a/test/functional/tests.py
+++ b/test/functional/tests.py
@@ -333,6 +333,19 @@ class TestAccount(Base):
             self.assertEqual(sorted(containers, cmp=locale.strcoll),
                              containers)
 
+    def testQuotedWWWAuthenticateHeader(self):
+        conn = Connection(config)
+        conn.authenticate()
+        inserted_html = '<b>Hello World'
+        hax = 'AUTH_haxx"\nContent-Length: %d\n\n%s' % (len(inserted_html),
+                                                        inserted_html)
+        quoted_hax = urllib.quote(hax)
+        conn.connection.request('GET', '/v1/' + quoted_hax, None, {})
+        resp = conn.connection.getresponse()
+        resp_headers = resp.getheaders()
+        expected = ('www-authenticate', 'Swift realm="%s"' % quoted_hax)
+        self.assert_(expected in resp_headers)
+
 
 class TestAccountUTF8(Base2, TestAccount):
     set_up = False
diff --git a/test/unit/common/test_swob.py b/test/unit/common/test_swob.py
index 7cc5439..b0452b9 100644 (file)
--- a/test/unit/common/test_swob.py
+++ b/test/unit/common/test_swob.py
@@ -601,6 +601,28 @@ class TestRequest(unittest.TestCase):
         self.assertEquals('Me realm="whatever"',
                           resp.headers['Www-Authenticate'])
 
+    def test_401_www_authenticate_is_quoted(self):
+
+        def test_app(environ, start_response):
+            start_response('401 Unauthorized', [])
+            return ['hi']
+
+        hacker = 'account-name\n\n<b>foo<br>'  # url injection test
+        quoted_hacker = quote(hacker)
+        req = swift.common.swob.Request.blank('/v1/' + hacker)
+        resp = req.get_response(test_app)
+        self.assertEquals(resp.status_int, 401)
+        self.assert_('Www-Authenticate' in resp.headers)
+        self.assertEquals('Swift realm="%s"' % quoted_hacker,
+                          resp.headers['Www-Authenticate'])
+
+        req = swift.common.swob.Request.blank('/v1/' + quoted_hacker)
+        resp = req.get_response(test_app)
+        self.assertEquals(resp.status_int, 401)
+        self.assert_('Www-Authenticate' in resp.headers)
+        self.assertEquals('Swift realm="%s"' % quoted_hacker,
+                          resp.headers['Www-Authenticate'])
+
     def test_not_401(self):
 
         # Other status codes should not have WWW-Authenticate in response





                 reply	other threads:[~2014-06-24  9:49 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140624094927.344F22004E@flycatcher.gentoo.org \
    --to=idella4@gentoo.org \
    --cc=gentoo-commits@lists.gentoo.org \
    --cc=gentoo-dev@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox