From 3b9c353abd27e2eeaae875b458e3557b3806e9c8 Mon Sep 17 00:00:00 2001 From: Daniel Gonzalez Date: Mon, 17 Oct 2016 10:22:42 +0200 Subject: [PATCH] Prevent template validate from scanning ports The template validation method in the heat API allows to specify the template to validate using a URL with the 'template_url' parameter. By entering invalid http URLs, like 'http://localhost:22' it is possible to scan ports by evaluating the error message of the request. For example, the request curl -H "Content-Type: application/json" -H "X-Auth-Token: " \ -X POST -d '{"template_url": "http://localhost:22"}' \ http://127.0.0.1:8004/v1//validate causes the following error message to be returned to the user: "Could not retrieve template: Failed to retrieve template: ('Connection aborted.', BadStatusLine('SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1\\r\\n',))" This could be misused by tenants to gain knowledge about the internal network the heat API runs in. To prevent this information leak, this patch alters the error message to not include such details when the url scheme is not 'file'. SecurityImpact Closes-Bug: #1606500 Change-Id: Id1f86f41c1e6c028d889eca7ccbb9cde67631950 --- heat/common/urlfetch.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/heat/common/urlfetch.py b/heat/common/urlfetch.py index 7efd968..1a26d30 100644 --- a/heat/common/urlfetch.py +++ b/heat/common/urlfetch.py @@ -75,4 +75,4 @@ def get(url, allowed_schemes=('http', 'https')): return result except exceptions.RequestException as ex: - raise URLFetchError(_('Failed to retrieve template: %s') % ex) + raise URLFetchError(_('Failed to retrieve template from %s') % url) -- 2.10.1