Neutron API responses should not contain tracebacks

Bug #1951429 reported by Bence Romsics
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Low
Bence Romsics

Bug Description

Security folks found some corner cases in the neutron API where the response contains a traceback, for example:

$ curl --request-target foo -k http://127.0.0.1:9696
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/dist-packages/eventlet/wsgi.py", line 563, in handle_one_response
    result = self.application(self.environ, start_response)
  File "/usr/local/lib/python3.8/dist-packages/paste/urlmap.py", line 208, in __call__
    path_info = self.normalize_url(path_info, False)[1]
  File "/usr/local/lib/python3.8/dist-packages/paste/urlmap.py", line 130, in normalize_url
    assert (not url or url.startswith('/')
AssertionError: URL fragments must start with / or http:// (you gave 'foo')

As a developer I don't mind such tracebacks, but I see their point that this may give away unwanted information to an attacker. On the other hand I would not consider this in itself a vulnerability.

Pushing a trivial fix in a minute.

Tags: api
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/818391

Changed in neutron:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/818391
Committed: https://opendev.org/openstack/neutron/commit/0256e494d029ac18bc6c9fed0fd995283c675075
Submitter: "Zuul (22348)"
Branch: master

commit 0256e494d029ac18bc6c9fed0fd995283c675075
Author: Bence Romsics <email address hidden>
Date: Thu Nov 18 15:01:20 2021 +0100

    Disable tracebacks of eventlet.wsgi.server

    Security folks considered tracebacks in API responses unwanted.

    Some additional lower constraints had to be bumped for the
    lower-constraints job to pass.

    Change-Id: Ibaefbb9935020318ed670774b0205f3bcffef4ad
    Closes-Bug: #1951429
    Depends-On: https://review.opendev.org/c/openstack/oslo.service/+/818548

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/xena)

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/neutron/+/827037

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/neutron/+/827038

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/victoria)

Fix proposed to branch: stable/victoria
Review: https://review.opendev.org/c/openstack/neutron/+/827039

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (stable/victoria)

Change abandoned by "Bence Romsics <email address hidden>" on branch: stable/victoria
Review: https://review.opendev.org/c/openstack/neutron/+/827039

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (stable/wallaby)

Change abandoned by "Bence Romsics <email address hidden>" on branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/neutron/+/827038

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (stable/xena)

Change abandoned by "Bence Romsics <email address hidden>" on branch: stable/xena
Review: https://review.opendev.org/c/openstack/neutron/+/827037

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 20.0.0.0rc1

This issue was fixed in the openstack/neutron 20.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers