neutron

Neutron API responses should not contain tracebacks

Bug #1951429 reported by Bence Romsics
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Low
Bence Romsics

Bug Description

Security folks found some corner cases in the neutron API where the response contains a traceback, for example:

$ curl --request-target foo -k http://127.0.0.1:9696
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/dist-packages/eventlet/wsgi.py", line 563, in handle_one_response
    result = self.application(self.environ, start_response)
  File "/usr/local/lib/python3.8/dist-packages/paste/urlmap.py", line 208, in __call__
    path_info = self.normalize_url(path_info, False)[1]
  File "/usr/local/lib/python3.8/dist-packages/paste/urlmap.py", line 130, in normalize_url
    assert (not url or url.startswith('/')
AssertionError: URL fragments must start with / or http:// (you gave 'foo')

As a developer I don't mind such tracebacks, but I see their point that this may give away unwanted information to an attacker. On the other hand I would not consider this in itself a vulnerability.

Pushing a trivial fix in a minute.

Tags: api
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/818391

Changed in neutron:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/818391
Committed: https://opendev.org/openstack/neutron/commit/0256e494d029ac18bc6c9fed0fd995283c675075
Submitter: "Zuul (22348)"
Branch: master

commit 0256e494d029ac18bc6c9fed0fd995283c675075
Author: Bence Romsics <email address hidden>
Date: Thu Nov 18 15:01:20 2021 +0100

    Disable tracebacks of eventlet.wsgi.server

    Security folks considered tracebacks in API responses unwanted.

    Some additional lower constraints had to be bumped for the
    lower-constraints job to pass.

    Change-Id: Ibaefbb9935020318ed670774b0205f3bcffef4ad
    Closes-Bug: #1951429
    Depends-On: https://review.opendev.org/c/openstack/oslo.service/+/818548

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/xena)

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/neutron/+/827037

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/neutron/+/827038

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/victoria)

Fix proposed to branch: stable/victoria
Review: https://review.opendev.org/c/openstack/neutron/+/827039

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (stable/victoria)

Change abandoned by "Bence Romsics <email address hidden>" on branch: stable/victoria
Review: https://review.opendev.org/c/openstack/neutron/+/827039

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (stable/wallaby)

Change abandoned by "Bence Romsics <email address hidden>" on branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/neutron/+/827038

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (stable/xena)

Change abandoned by "Bence Romsics <email address hidden>" on branch: stable/xena
Review: https://review.opendev.org/c/openstack/neutron/+/827037

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 20.0.0.0rc1

This issue was fixed in the openstack/neutron 20.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.