OpenStack Compute (nova)

EC2 error response does no XML escaping

Bug #978439 reported by Joshua Harlow
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Medium
Andrew James
OpenStack Compute (nova) 2012.2 "folsom"

Bug Description

When an error happens in EC2 (or in openestack) a function called ec2_error is used, this creates a xml body of which none of the variables used in its content are xml escaped. This could be bad....

Tags: ec2 security
Revision history for this message
Thierry Carrez (ttx) wrote :

Adding security since this may have some interesting potential.

Changed in nova:
importance: Undecided → Medium
status: New → Confirmed
tags: added: ec2
security vulnerability: no → yes
Revision history for this message
Thierry Carrez (ttx) wrote :

Confirmed that it looks like a user-provided invalid instance ID would be put as-is in the XML response message, and that should probably be filtered.

Not sure there is an security attack vector there though. Looks like you would just reap what you sow yourself ?
Joshua: could you explain how this could be bad, so that we set importance right ?

security vulnerability: yes → no
Revision history for this message
Joshua Harlow (harlowja) wrote :

Well i was just thinking that this could be used for cross site scripting?
Although since most of the messages are openstack controlled here it might not be a problem.
I would say its not a security attack vector (unless that attack comes from within) so it seems more of just a cleanup issue.

Revision history for this message
Thierry Carrez (ttx) wrote :

Agree on the difficulty to exploit *and* on the need to fix :)

tags: added: security
Revision history for this message
Andrew James (ajames) wrote :

Marking 1036347 as a duplicate of this bug, though it only applies to escaping '<' and '>'.

Should we consider the 5 predefined escapes sufficient for this bug?

http://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references#Predefined_entities_in_XML

That would only add '&' relative to 1036347.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/12276

Changed in nova:
assignee: nobody → Andrew James (ajames)
status: Confirmed → In Progress
Mark McLoughlin (markmc)
Changed in nova:
milestone: none → folsom-rc1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/12276
Committed: http://github.com/openstack/nova/commit/f86b24935cf122183fcb9c523041d22071c3c0f1
Submitter: Jenkins
Branch: master

commit f86b24935cf122183fcb9c523041d22071c3c0f1
Author: Andrew James <email address hidden>
Date: Thu Aug 30 17:15:35 2012 -0600

    Escape ec2 XML error responses

    Fixes bug 978439

    XML error responses to ec2 calls include user supplied data that is not
    escaped. This could result in returning invalid XML.

    This is addressed by using utils.xhtml_escape() on purposeful eC2 error
    responses and when handling webob.exc.HTTPException.

    Extended the tests for utils.xhtml_escape() to cover '&', '>', '<' and a tag
    look-alike. These conversions are implicit to saxutils.escape().

    Change-Id: Icb3e861c6c06c0d9c3b9e2ab1a658581a0fb39c6

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in nova:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: folsom-rc1 → 2012.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.