OpenStack Compute (Nova)

EC2 error response does no XML escaping

Reported by Joshua Harlow on 2012-04-10
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Medium
Andrew James

Bug Description

When an error happens in EC2 (or in openestack) a function called ec2_error is used, this creates a xml body of which none of the variables used in its content are xml escaped. This could be bad....

Thierry Carrez (ttx) wrote :

Adding security since this may have some interesting potential.

Changed in nova:
importance: Undecided → Medium
status: New → Confirmed
tags: added: ec2
security vulnerability: no → yes
Thierry Carrez (ttx) wrote :

Confirmed that it looks like a user-provided invalid instance ID would be put as-is in the XML response message, and that should probably be filtered.

Not sure there is an security attack vector there though. Looks like you would just reap what you sow yourself ?
Joshua: could you explain how this could be bad, so that we set importance right ?

security vulnerability: yes → no
Joshua Harlow (harlowja) wrote :

Well i was just thinking that this could be used for cross site scripting?
Although since most of the messages are openstack controlled here it might not be a problem.
I would say its not a security attack vector (unless that attack comes from within) so it seems more of just a cleanup issue.

Thierry Carrez (ttx) wrote :

Agree on the difficulty to exploit *and* on the need to fix :)

tags: added: security
Andrew James (ajames) wrote :

Marking 1036347 as a duplicate of this bug, though it only applies to escaping '<' and '>'.

Should we consider the 5 predefined escapes sufficient for this bug?

http://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references#Predefined_entities_in_XML

That would only add '&' relative to 1036347.

Fix proposed to branch: master
Review: https://review.openstack.org/12276

Changed in nova:
assignee: nobody → Andrew James (ajames)
status: Confirmed → In Progress
Mark McLoughlin (markmc) on 2012-09-04
Changed in nova:
milestone: none → folsom-rc1

Reviewed: https://review.openstack.org/12276
Committed: http://github.com/openstack/nova/commit/f86b24935cf122183fcb9c523041d22071c3c0f1
Submitter: Jenkins
Branch: master

commit f86b24935cf122183fcb9c523041d22071c3c0f1
Author: Andrew James <email address hidden>
Date: Thu Aug 30 17:15:35 2012 -0600

    Escape ec2 XML error responses

    Fixes bug 978439

    XML error responses to ec2 calls include user supplied data that is not
    escaped. This could result in returning invalid XML.

    This is addressed by using utils.xhtml_escape() on purposeful eC2 error
    responses and when handling webob.exc.HTTPException.

    Extended the tests for utils.xhtml_escape() to cover '&', '>', '<' and a tag
    look-alike. These conversions are implicit to saxutils.escape().

    Change-Id: Icb3e861c6c06c0d9c3b9e2ab1a658581a0fb39c6

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2012-09-19
Changed in nova:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2012-09-27
Changed in nova:
milestone: folsom-rc1 → 2012.2
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers