proxying user supplied libarian files via the launchpad appserver domain has security and performance issues
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
High
|
Robert Collins |
Bug Description
The production Librarian runs on a non-launchpad.net domain. This means that if a HTML document or other content that can embed commands is served, the browser security model should stop it stealing authentication credentials.
We are now proxying some files via Launchpad - stuff served from the 'restricted' Librarian. The current pattern is that these files are served from the launchpad.net domain. We use SafeStreamingOr
However this has some issues: we cannot do inline rendering of user supplied files because they could attack launchpad cookies, perform AJAX and so on; its also non scalable and makes the appservers fragile due to downloading directly from the librarian.
OpenID and other cookie based solutions cannot help, because those cookies would be vulnerable to attack; we need something that partitions all user supplied content into one security context each.
The current plan is to use a separate domain using wildcard DNS, per contenthash (LFC object), on https, with a random token providing time limited access; tokens will be generated by the appservers even in readonly requests, and the librarian will check for tokens on all LFAs which have the restricted bit set.
https:/
the code has landed; we're now rolling out a QA environment for this, which will be followed by enabling it.
Related branches
- Stuart Bishop (community): Approve
- Graham Binns (community): Approve (release-critical)
- Launchpad code reviewers: Pending requested
-
Diff: 1731 lines (+804/-148)29 files modifieddatabase/schema/launchpad_session.sql (+16/-0)
lib/canonical/database/sqlbase.py (+10/-2)
lib/canonical/launchpad/browser/librarian.py (+88/-12)
lib/canonical/launchpad/database/ftests/test_timelimitedtoken.py (+29/-0)
lib/canonical/launchpad/database/librarian.py (+69/-1)
lib/canonical/launchpad/doc/librarian.txt (+175/-24)
lib/canonical/launchpad/ftests/test_libraryfilealias.py (+1/-6)
lib/canonical/launchpad/interfaces/librarian.py (+5/-1)
lib/canonical/launchpad/interfaces/lpstorm.py (+0/-1)
lib/canonical/launchpad/scripts/garbo.py (+47/-5)
lib/canonical/launchpad/scripts/tests/test_garbo.py (+23/-2)
lib/canonical/launchpad/utilities/looptuner.py (+4/-0)
lib/canonical/launchpad/webapp/session.py (+2/-1)
lib/canonical/launchpad/zcml/librarian.zcml (+5/-0)
lib/canonical/librarian/client.py (+37/-9)
lib/canonical/librarian/db.py (+33/-5)
lib/canonical/librarian/ftests/test_db.py (+14/-12)
lib/canonical/librarian/ftests/test_storage.py (+3/-2)
lib/canonical/librarian/ftests/test_web.py (+157/-25)
lib/canonical/librarian/interfaces.py (+13/-2)
lib/canonical/librarian/storage.py (+2/-2)
lib/canonical/librarian/web.py (+37/-9)
lib/canonical/testing/layers.py (+6/-4)
lib/lp/bugs/browser/bugattachment.py (+1/-16)
lib/lp/bugs/browser/configure.zcml (+0/-4)
lib/lp/bugs/browser/tests/test_bugattachment_file_access.py (+17/-2)
lib/lp/scripts/utilities/importfascist.py (+1/-0)
lib/lp/services/features/webapp.py (+8/-0)
lib/lp/testing/fakelibrarian.py (+1/-1)
affects: | launchpad → launchpad-foundations |
tags: | added: librarian |
Changed in launchpad-foundations: | |
status: | New → Triaged |
importance: | Undecided → Low |
summary: |
- 'private' Librarian opens us to security vulnerabilities + exposing user supplied files in the launchpad appserver domain opens us + to security vulnerabilities |
description: | updated |
summary: |
- exposing user supplied files in the launchpad appserver domain opens us - to security vulnerabilities + proxying user supplied files via the launchpad appserver domain has + security and performance issues |
description: | updated |
Changed in launchpad-foundations: | |
importance: | Low → High |
security vulnerability: | yes → no |
visibility: | private → public |
Changed in launchpad-foundations: | |
assignee: | nobody → Robert Collins (lifeless) |
Changed in launchpad-foundations: | |
status: | Triaged → Fix Committed |
milestone: | none → 10.09 |
tags: | added: qa-needstesting |
summary: |
- proxying user supplied files via the launchpad appserver domain has - security and performance issues + proxying user supplied libarian files via the launchpad appserver domain + has security and performance issues |
description: | updated |
tags: |
added: qa-ok removed: qa-needstesting |
Idea: OpenID authentication might come to the rescue here. librarian. launchpad. net could be an OpenID consumer, and every file served out of there needing authentication authenticated with a different trust root.