OpenStack Dashboard (Horizon)

  1. Bug #1606500
  2. Comment #36

Comment 36 for bug 1606500

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to heat (stable/newton)

Reviewed: https://review.openstack.org/393147
Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=02dfb1a64f8a545a6dfed15245ac54c8ea835b81
Submitter: Jenkins
Branch: stable/newton

commit 02dfb1a64f8a545a6dfed15245ac54c8ea835b81
Author: Daniel Gonzalez <email address hidden>
Date: Mon Oct 17 10:22:42 2016 +0200

    Prevent template validate from scanning ports

    The template validation method in the heat API allows to specify the
    template to validate using a URL with the 'template_url' parameter.

    By entering invalid http URLs, like 'http://localhost:22' it is
    possible to scan ports by evaluating the error message of the request.

    For example, the request

    curl -H "Content-Type: application/json" -H "X-Auth-Token: <TOKEN>" \
    -X POST -d '{"template_url": "http://localhost:22"}' \
    http://127.0.0.1:8004/v1/<TENANT_ID>/validate

    causes the following error message to be returned to the user:

    "Could not retrieve template: Failed to retrieve template:
    ('Connection aborted.',
    BadStatusLine('SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1\\r\\n',))"

    This could be misused by tenants to gain knowledge about the internal
    network the heat API runs in.

    To prevent this information leak, this patch alters the error message
    to not include such details when the url scheme is not 'file'.

    SecurityImpact

    Closes-Bug: #1606500

    Change-Id: Id1f86f41c1e6c028d889eca7ccbb9cde67631950
    (cherry picked from commit eab9a33ce760c55695a5beb2e541487588b08c98)