Invalid parsing of Forwarded header (RFC7239)

Bug #1711573 reported by Adam Kijak on 2017-08-18
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu Cloud Archive
Status tracked in Pike
Ocata
High
Unassigned
Pike
High
Unassigned
oslo.middleware
Undecided
Adam Kijak
python-oslo.middleware (Ubuntu)
Status tracked in Artful
Zesty
Undecided
Unassigned
Artful
Undecided
Unassigned

Bug Description

>>> from oslo_middleware.http_proxy_to_wsgi import HTTPProxyToWSGI
>>> HTTPProxyToWSGI._parse_rfc7239_header("for=192.0.2.60;proto=http, for=192.0.2.60;by=203.0.113.43")
[{'for': '192.0.2.60', 'proto': 'http'}, {' for': '192.0.2.60', 'by': '203.0.113.43'}]
>>>
>>> HTTPProxyToWSGI._parse_rfc7239_header("for=192.0.2.60; proto=http, for=192.0.2.60; by=203.0.113.43")
[{' proto': 'http', 'for': '192.0.2.60'}, {' for': '192.0.2.60', ' by': '203.0.113.43'}]

According to some sources:
https://en.wikipedia.org/wiki/X-Forwarded-For#Alternatives_and_variations
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded

using space after semicolon in Forwarded header is valid, but _parse_rfc7239_header does not parse it properly: note spaces in keys in the dict above.

This affects e.g. Heat when using a proxy+SSL.

Adam Kijak (adam-kijak) on 2017-08-18
tags: added: proxy wsgi
Adam Kijak (adam-kijak) on 2017-08-18
Changed in oslo.middleware:
assignee: nobody → Adam Kijak (adam-kijak)
status: New → In Progress

Reviewed: https://review.openstack.org/495172
Committed: https://git.openstack.org/cgit/openstack/oslo.middleware/commit/?id=480d60ac856937e1a48c1ed6df3b7d2e59a974dc
Submitter: Jenkins
Branch: master

commit 480d60ac856937e1a48c1ed6df3b7d2e59a974dc
Author: Adam Kijak <email address hidden>
Date: Fri Aug 18 13:23:10 2017 +0200

    Invalid parsing of Forwarded header fixed

    _parse_rfc7239_header() did not parse properly
    a Forwarded header with additional spaces

    Closes-Bug: #1711573
    Change-Id: Ic8b7f9698d7b3440005b17d249b1c8f0f66dae8a

Changed in oslo.middleware:
status: In Progress → Fix Released

Reviewed: https://review.openstack.org/499470
Committed: https://git.openstack.org/cgit/openstack/oslo.middleware/commit/?id=d9ad4bae1e0d6c43a009d393ac94f7ff50116171
Submitter: Jenkins
Branch: stable/pike

commit d9ad4bae1e0d6c43a009d393ac94f7ff50116171
Author: Adam Kijak <email address hidden>
Date: Fri Aug 18 13:23:10 2017 +0200

    Invalid parsing of Forwarded header fixed

    _parse_rfc7239_header() did not parse properly
    a Forwarded header with additional spaces

    Closes-Bug: #1711573
    Change-Id: Ic8b7f9698d7b3440005b17d249b1c8f0f66dae8a
    (cherry picked from commit 480d60ac856937e1a48c1ed6df3b7d2e59a974dc)

tags: added: in-stable-pike

Reviewed: https://review.openstack.org/499471
Committed: https://git.openstack.org/cgit/openstack/oslo.middleware/commit/?id=74208402c6cadc0fb46379e2f7122eade7998883
Submitter: Jenkins
Branch: stable/ocata

commit 74208402c6cadc0fb46379e2f7122eade7998883
Author: Adam Kijak <email address hidden>
Date: Fri Aug 18 13:23:10 2017 +0200

    Invalid parsing of Forwarded header fixed

    _parse_rfc7239_header() did not parse properly
    a Forwarded header with additional spaces

    Closes-Bug: #1711573
    Change-Id: Ic8b7f9698d7b3440005b17d249b1c8f0f66dae8a
    (cherry picked from commit 480d60ac856937e1a48c1ed6df3b7d2e59a974dc)

tags: added: in-stable-ocata

This issue was fixed in the openstack/oslo.middleware 3.31.0 release.

Corey Bryant (corey.bryant) wrote :

Ubuntu SRU details:

[Description]
See bug description.

[Test Case]
See bug description.

[Regression Potential]
Low. This fix has landed upstream already in master, stable/pike, and stable/ocata branches. The fix is minimal and just strips whitespace.

Corey Bryant (corey.bryant) wrote :

I've updloaded new versions of the package to artful (pike) and zesty (ocata).

Changed in python-oslo.middleware (Ubuntu Zesty):
status: New → Triaged
Changed in python-oslo.middleware (Ubuntu Artful):
status: New → Triaged
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-oslo.middleware - 3.30.0-0ubuntu1.1

---------------
python-oslo.middleware (3.30.0-0ubuntu1.1) artful; urgency=medium

  * d/p/fix-parsing-of-forwarded-header.patch: Fix invalid parsing of
    forwarded header (LP: #1711573).

 -- Corey Bryant <email address hidden> Fri, 22 Sep 2017 09:09:11 -0400

Changed in python-oslo.middleware (Ubuntu Artful):
status: Triaged → Fix Released

Hello Adam, or anyone else affected,

Accepted python-oslo.middleware into pike-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:pike-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-pike-needed to verification-pike-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-pike-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-pike-needed
Brian Murray (brian-murray) wrote :

Hello Adam, or anyone else affected,

Accepted python-oslo.middleware into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/python-oslo.middleware/3.23.1-0ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-zesty to verification-done-zesty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-zesty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in python-oslo.middleware (Ubuntu Zesty):
status: Triaged → Fix Committed
tags: added: verification-needed verification-needed-zesty

This issue was fixed in the openstack/oslo.middleware 3.30.1 release.

This issue was fixed in the openstack/oslo.middleware 3.23.3 release.

Hello Adam, or anyone else affected,

Accepted python-oslo.middleware into ocata-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:ocata-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-ocata-needed to verification-ocata-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-ocata-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-ocata-needed

The verification of the Stable Release Update for python-oslo.middleware has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Ryan Beisner (1chb1n) wrote :

This bug was fixed in the package python-oslo.middleware - 3.23.1-0ubuntu1.1~cloud0
---------------

 python-oslo.middleware (3.23.1-0ubuntu1.1~cloud0) xenial-ocata; urgency=medium
 .
   * New update for the Ubuntu Cloud Archive.
 .
 python-oslo.middleware (3.23.1-0ubuntu1.1) zesty; urgency=medium
 .
   * d/p/fix-parsing-of-forwarded-header.patch: Fix invalid parsing of
     forwarded header (LP: #1711573).

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers