diff options
author | Matthew Thode <prometheanfire@gentoo.org> | 2017-01-26 15:40:53 -0600 |
---|---|---|
committer | Matthew Thode <prometheanfire@gentoo.org> | 2017-01-26 15:43:41 -0600 |
commit | ad8a82887a3e612cae719a7ce6219f9ee760fc66 (patch) | |
tree | 88cd49f2c5c44ecbec6411f8610536646f60b2c7 | |
parent | dev-db/phpmyadmin: Security releases - 4.0.10.19, 4.4.15.10, 4.6.6 (PMASA-20... (diff) | |
download | gentoo-ad8a82887a3e612cae719a7ce6219f9ee760fc66.tar.gz gentoo-ad8a82887a3e612cae719a7ce6219f9ee760fc66.tar.bz2 gentoo-ad8a82887a3e612cae719a7ce6219f9ee760fc66.zip |
dev-python/oslo-middleware: fix CVE-2017-2592 bug 606976
Package-Manager: portage-2.3.3
4 files changed, 299 insertions, 0 deletions
diff --git a/dev-python/oslo-middleware/files/cve-2017-2592-stable-mitaka.patch b/dev-python/oslo-middleware/files/cve-2017-2592-stable-mitaka.patch new file mode 100644 index 000000000000..b38cd597c3d4 --- /dev/null +++ b/dev-python/oslo-middleware/files/cve-2017-2592-stable-mitaka.patch @@ -0,0 +1,90 @@ +From 095e90929d114e4b6cece67cb405741c14747356 Mon Sep 17 00:00:00 2001 +From: Jamie Lennox <jamielennox@gmail.com> +Date: Wed, 28 Sep 2016 15:03:53 +1000 +Subject: [PATCH] Filter token data out of catch_errors middleware + +If an exception is caught by the catch_errors middleware the entire +request is dumped into the log including sensitive information like +tokens. Filter that information before outputting the failed request. + +Closes-Bug: #1628031 +Change-Id: I2563403993513c37751576223275350cac2e0937 +--- + oslo_middleware/catch_errors.py | 6 +++++- + oslo_middleware/tests/test_catch_errors.py | 25 +++++++++++++++++++++++++ + 2 files changed, 30 insertions(+), 1 deletion(-) + +diff --git a/oslo_middleware/catch_errors.py b/oslo_middleware/catch_errors.py +index 43d085f..0934fc5 100644 +--- a/oslo_middleware/catch_errors.py ++++ b/oslo_middleware/catch_errors.py +@@ -14,6 +14,7 @@ + # under the License. + + import logging ++import re + + import webob.dec + import webob.exc +@@ -24,6 +25,8 @@ from oslo_middleware import base + + LOG = logging.getLogger(__name__) + ++_TOKEN_RE = re.compile('^(X-\w+-Token):.*$', flags=re.MULTILINE) ++ + + class CatchErrors(base.ConfigurableMiddleware): + """Middleware that provides high-level error handling. +@@ -37,7 +40,8 @@ class CatchErrors(base.ConfigurableMiddleware): + try: + response = req.get_response(self.application) + except Exception: ++ req_str = _TOKEN_RE.sub(r'\1: <removed>', req.as_text()) + LOG.exception(_LE('An error occurred during ' +- 'processing the request: %s'), req) ++ 'processing the request: %s'), req_str) + response = webob.exc.HTTPInternalServerError() + return response +diff --git a/oslo_middleware/tests/test_catch_errors.py b/oslo_middleware/tests/test_catch_errors.py +index 920bbe2..0b675e2 100644 +--- a/oslo_middleware/tests/test_catch_errors.py ++++ b/oslo_middleware/tests/test_catch_errors.py +@@ -13,6 +13,7 @@ + # License for the specific language governing permissions and limitations + # under the License. + ++import fixtures + import mock + from oslotest import base as test_base + import webob.dec +@@ -45,3 +46,27 @@ class CatchErrorsTest(test_base.BaseTestCase): + self._test_has_request_id(application, + webob.exc.HTTPInternalServerError.code) + self.assertEqual(1, log_exc.call_count) ++ ++ def test_filter_tokens_from_log(self): ++ logger = self.useFixture(fixtures.FakeLogger(nuke_handlers=False)) ++ ++ @webob.dec.wsgify ++ def application(req): ++ raise Exception() ++ ++ app = catch_errors.CatchErrors(application) ++ req = webob.Request.blank('/test', ++ text=u'test data', ++ method='POST', ++ headers={'X-Auth-Token': 'secret1', ++ 'X-Service-Token': 'secret2', ++ 'X-Other-Token': 'secret3'}) ++ res = req.get_response(app) ++ self.assertEqual(500, res.status_int) ++ ++ output = logger.output ++ ++ self.assertIn('X-Auth-Token: <removed>', output) ++ self.assertIn('X-Service-Token: <removed>', output) ++ self.assertIn('X-Other-Token: <removed>', output) ++ self.assertIn('test data', output) +-- +2.7.4 + diff --git a/dev-python/oslo-middleware/files/cve-2017-2592-stable-newton.patch b/dev-python/oslo-middleware/files/cve-2017-2592-stable-newton.patch new file mode 100644 index 000000000000..b38cd597c3d4 --- /dev/null +++ b/dev-python/oslo-middleware/files/cve-2017-2592-stable-newton.patch @@ -0,0 +1,90 @@ +From 095e90929d114e4b6cece67cb405741c14747356 Mon Sep 17 00:00:00 2001 +From: Jamie Lennox <jamielennox@gmail.com> +Date: Wed, 28 Sep 2016 15:03:53 +1000 +Subject: [PATCH] Filter token data out of catch_errors middleware + +If an exception is caught by the catch_errors middleware the entire +request is dumped into the log including sensitive information like +tokens. Filter that information before outputting the failed request. + +Closes-Bug: #1628031 +Change-Id: I2563403993513c37751576223275350cac2e0937 +--- + oslo_middleware/catch_errors.py | 6 +++++- + oslo_middleware/tests/test_catch_errors.py | 25 +++++++++++++++++++++++++ + 2 files changed, 30 insertions(+), 1 deletion(-) + +diff --git a/oslo_middleware/catch_errors.py b/oslo_middleware/catch_errors.py +index 43d085f..0934fc5 100644 +--- a/oslo_middleware/catch_errors.py ++++ b/oslo_middleware/catch_errors.py +@@ -14,6 +14,7 @@ + # under the License. + + import logging ++import re + + import webob.dec + import webob.exc +@@ -24,6 +25,8 @@ from oslo_middleware import base + + LOG = logging.getLogger(__name__) + ++_TOKEN_RE = re.compile('^(X-\w+-Token):.*$', flags=re.MULTILINE) ++ + + class CatchErrors(base.ConfigurableMiddleware): + """Middleware that provides high-level error handling. +@@ -37,7 +40,8 @@ class CatchErrors(base.ConfigurableMiddleware): + try: + response = req.get_response(self.application) + except Exception: ++ req_str = _TOKEN_RE.sub(r'\1: <removed>', req.as_text()) + LOG.exception(_LE('An error occurred during ' +- 'processing the request: %s'), req) ++ 'processing the request: %s'), req_str) + response = webob.exc.HTTPInternalServerError() + return response +diff --git a/oslo_middleware/tests/test_catch_errors.py b/oslo_middleware/tests/test_catch_errors.py +index 920bbe2..0b675e2 100644 +--- a/oslo_middleware/tests/test_catch_errors.py ++++ b/oslo_middleware/tests/test_catch_errors.py +@@ -13,6 +13,7 @@ + # License for the specific language governing permissions and limitations + # under the License. + ++import fixtures + import mock + from oslotest import base as test_base + import webob.dec +@@ -45,3 +46,27 @@ class CatchErrorsTest(test_base.BaseTestCase): + self._test_has_request_id(application, + webob.exc.HTTPInternalServerError.code) + self.assertEqual(1, log_exc.call_count) ++ ++ def test_filter_tokens_from_log(self): ++ logger = self.useFixture(fixtures.FakeLogger(nuke_handlers=False)) ++ ++ @webob.dec.wsgify ++ def application(req): ++ raise Exception() ++ ++ app = catch_errors.CatchErrors(application) ++ req = webob.Request.blank('/test', ++ text=u'test data', ++ method='POST', ++ headers={'X-Auth-Token': 'secret1', ++ 'X-Service-Token': 'secret2', ++ 'X-Other-Token': 'secret3'}) ++ res = req.get_response(app) ++ self.assertEqual(500, res.status_int) ++ ++ output = logger.output ++ ++ self.assertIn('X-Auth-Token: <removed>', output) ++ self.assertIn('X-Service-Token: <removed>', output) ++ self.assertIn('X-Other-Token: <removed>', output) ++ self.assertIn('test data', output) +-- +2.7.4 + diff --git a/dev-python/oslo-middleware/oslo-middleware-3.19.0-r1.ebuild b/dev-python/oslo-middleware/oslo-middleware-3.19.0-r1.ebuild new file mode 100644 index 000000000000..062868e1012a --- /dev/null +++ b/dev-python/oslo-middleware/oslo-middleware-3.19.0-r1.ebuild @@ -0,0 +1,59 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=6 +PYTHON_COMPAT=( python2_7 python3_4 python3_5 ) + +inherit distutils-r1 + +DESCRIPTION="Components injected into wsgi pipelines to intercept request/response flows." +HOMEPAGE="https://pypi.python.org/pypi/oslo.middleware" +SRC_URI="mirror://pypi/${PN:0:1}/oslo.middleware/oslo.middleware-${PV}.tar.gz" +S="${WORKDIR}/oslo.middleware-${PV}" + +LICENSE="Apache-2.0" +SLOT="0" +KEYWORDS="~amd64 ~arm64 ~x86" +IUSE="test" + +PATCHES=( "${FILESDIR}/cve-2017-2592-stable-newton.patch" ) + +CDEPEND=" + >=dev-python/pbr-1.6[${PYTHON_USEDEP}] + <dev-python/pbr-2.0[${PYTHON_USEDEP}]" +DEPEND="dev-python/setuptools[${PYTHON_USEDEP}] + ${CDEPEND} + test? ( + >=dev-python/fixtures-3.0.0[${PYTHON_USEDEP}] + >=dev-python/mock-2.0.0[${PYTHON_USEDEP}] + >=dev-python/oslo-sphinx-2.5.0[${PYTHON_USEDEP}] + !~dev-python/oslo-sphinx-3.4.0[${PYTHON_USEDEP}] + >=dev-python/oslotest-1.10.0[${PYTHON_USEDEP}] + >=dev-python/sphinx-1.1.2[${PYTHON_USEDEP}] + !~dev-python/sphinx-1.2.0[${PYTHON_USEDEP}] + <dev-python/sphinx-1.3.0[${PYTHON_USEDEP}] + >=dev-python/testtools-1.4.0[${PYTHON_USEDEP}] + >=dev-python/coverage-3.6[${PYTHON_USEDEP}] + )" +RDEPEND=" + ${CDEPEND} + >=dev-python/jinja-2.8[${PYTHON_USEDEP}] + >=dev-python/oslo-config-3.14.0[${PYTHON_USEDEP}] + >=dev-python/oslo-context-2.9.0[${PYTHON_USEDEP}] + >=dev-python/oslo-i18n-2.1.0[${PYTHON_USEDEP}] + >=dev-python/oslo-utils-3.16.0[${PYTHON_USEDEP}] + >=dev-python/six-1.9.0[${PYTHON_USEDEP}] + >=dev-python/stevedore-1.16.0[${PYTHON_USEDEP}] + >=dev-python/webob-1.2.3[${PYTHON_USEDEP}] + >=dev-python/debtcollector-1.2.0[${PYTHON_USEDEP}] +" + +python_prepare_all() { + sed -i '/^hacking/d' test-requirements.txt || die + distutils-r1_python_prepare_all +} + +python_test() { + nosetests tests/ || die "test failed under ${EPYTHON}" +} diff --git a/dev-python/oslo-middleware/oslo-middleware-3.8.0-r2.ebuild b/dev-python/oslo-middleware/oslo-middleware-3.8.0-r2.ebuild new file mode 100644 index 000000000000..1a7e55b48a89 --- /dev/null +++ b/dev-python/oslo-middleware/oslo-middleware-3.8.0-r2.ebuild @@ -0,0 +1,60 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=5 +PYTHON_COMPAT=( python2_7 python3_4 python3_5 ) + +inherit distutils-r1 + +DESCRIPTION="Components injected into wsgi pipelines to intercept request/response flows." +HOMEPAGE="https://pypi.python.org/pypi/oslo.middleware" +SRC_URI="mirror://pypi/${PN:0:1}/oslo.middleware/oslo.middleware-${PV}.tar.gz" +S="${WORKDIR}/oslo.middleware-${PV}" + +LICENSE="Apache-2.0" +SLOT="0" +KEYWORDS="~amd64 ~arm64 ~x86" +IUSE="test" + +FILES=( "${FILESDIR}/cve-2017-2592-stable-mitaka.patch" ) + +CDEPEND=" + >=dev-python/pbr-1.6[${PYTHON_USEDEP}] + <dev-python/pbr-2.0[${PYTHON_USEDEP}]" +DEPEND="dev-python/setuptools[${PYTHON_USEDEP}] + ${CDEPEND} + test? ( + >=dev-python/fixtures-1.3.1[${PYTHON_USEDEP}] + >=dev-python/mock-1.2[${PYTHON_USEDEP}] + >=dev-python/oslo-sphinx-2.5.0[${PYTHON_USEDEP}] + !~dev-python/oslo-sphinx-3.4.0[${PYTHON_USEDEP}] + >=dev-python/oslotest-1.10.0[${PYTHON_USEDEP}] + >=dev-python/sphinx-1.1.2[${PYTHON_USEDEP}] + !~dev-python/sphinx-1.2.0[${PYTHON_USEDEP}] + <dev-python/sphinx-1.3.0[${PYTHON_USEDEP}] + >=dev-python/testtools-1.4.0[${PYTHON_USEDEP}] + >=dev-python/coverage-3.6[${PYTHON_USEDEP}] + )" +RDEPEND=" + ${CDEPEND} + >=dev-python/Babel-1.3[${PYTHON_USEDEP}] + >=dev-python/jinja-2.8[${PYTHON_USEDEP}] + >=dev-python/oslo-config-3.7.0[${PYTHON_USEDEP}] + >=dev-python/oslo-context-0.2.0[${PYTHON_USEDEP}] + >=dev-python/oslo-i18n-2.1.0[${PYTHON_USEDEP}] + >=dev-python/oslo-utils-3.5.0[${PYTHON_USEDEP}] + >=dev-python/six-1.9.0[${PYTHON_USEDEP}] + >=dev-python/stevedore-1.5.0[${PYTHON_USEDEP}] + >=dev-python/webob-1.2.3[${PYTHON_USEDEP}] + >=dev-python/debtcollector-1.2.0[${PYTHON_USEDEP}] +" + +python_prepare_all() { + sed -i '/^hacking/d' test-requirements.txt || die + distutils-r1_python_prepare_all +} + +python_test() { + nosetests tests/ || die "test failed under ${EPYTHON}" +} |