staticweb middleware ignores acl and breaks clients
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Object Storage (swift) |
Fix Released
|
Undecided
|
Christian Schwede | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
puppet-swift |
Invalid
|
Undecided
|
Emilien Macchi | ||
Juno |
New
|
Undecided
|
Unassigned | ||
Kilo |
New
|
Undecided
|
Unassigned | ||
Trunk |
New
|
Undecided
|
Unassigned |
Bug Description
Two issues were found in the staticweb middleware. They might be just "normal" bugs, but I prefer to start with a private security bug first; however the impact looks rather low to me atm.
1.staticweb middleware does not check acls
The documentation says that a read-acl setting of ".r:*" must be set, however this is never checked in staticweb. At least in combination with tempauth this allows container listings without any ACL set. Note that the staticweb middleware must still be enabled on a container, and this can only done by an account owner (because it requires a POST to the container).
2. Might break clients if used before any auth module in the proxy pipeline
Actually this looks simple at first, but might be a little bit worse than #1. If an operator puts the staticweb middleware before the authentication middleware, it responds with a HTML listing for GET and HEAD requests if this is enabled on a container, even if a token is sent. In case of python-swiftclient this might lead to a situation where a user thinks there is an empty, private container but actually the container is public readable. Note: the documentation already says to put staticweb after an auth middleware in the pipeline.
For example, using master on swift and python-swiftclient on a SAIO (put staticweb before tempauth in the proxy pipeline to verify this):
# Create a new container and upload an object
vagrant@
testobj
# Expected output
vagrant@
URL: http://
Auth Token: AUTH_tk3f556ba1
Account: AUTH_test
Container: container
Objects: 1
Bytes: 0
Read ACL:
Write ACL:
Sync To:
Sync Key:
Accept-Ranges: bytes
X-Storage-Policy: default
X-Timestamp: 1440746384.43528
X-Trans-Id: txa77acfe8bd004
Content-Type: text/plain; charset=utf-8
# Now enable listings
vagrant@
vagrant@
[...snipped...the html listing shown now, as expected including "testobj"]
# Now in case of python-swiftclient: 0 objects, no ACLs, no enabled web listing
vagrant@
URL: http://
Auth Token: AUTH_tk3f556ba1
Account: AUTH_test
Container: container
Objects: 0
Bytes: 0
Read ACL:
Write ACL:
Sync To:
Sync Key:
Content-Type: text/html; charset=UTF-8
X-Trans-Id: tx233a6fd34a184
Note that this is still true if there is a public read acl set. Thus it is possible to list and download objects, but in case of python-swiftclient a private empty container is reported. Other clients might be affected as well (due to the HTML response).
A patch to fix both issues has been attached. Overall existing testing could be further improved; for example you can completely remove the read acl and all tests still pass on master.
CVE References
description: | updated |
summary: |
- staticweb middleware ignores acl and breaks clients + staticweb middleware ignores acl and breaks clients (CVE-2015-5249) |
information type: | Private Security → Public |
description: | updated |
Changed in swift: | |
status: | Fix Committed → Fix Released |
Hmm, this is tricky and might affect a few more users. Not yet adding openstack/ puppet- swift; however I attached a patch ready for this as well.
openstack/ puppet- swift puts staticweb in front of keystone in the proxy pipeline; not sure how many operators use this module, but this might result in a much wider distribution of the problem #2.
https:/ /github. com/openstack/ puppet- swift/blob/ master/ manifests/ proxy/staticweb .pp#L23 /github. com/openstack/ puppet- swift/blob/ master/ manifests/ proxy/keystone. pp#L35
https:/
In fact other middlewares might be not in the correct pipeline order as well, but that seems to be a different problem:
vagrant@ saio:~/ puppet- swift$ grep order manifests/proxy/* | sort -t ':' -k 2 | cut -f 3- -d "/" quotas. pp: order => '81',
tempauth.pp: order => '01',
swauth.pp: order => '20',
bulk.pp: order => '21',
authtoken.pp: order => '22',
cache.pp: order => '23',
catch_errors.pp: order => '24',
healthcheck.pp: order => '25',
ratelimit.pp: order => '26',
proxy_logging.pp: order => '27',
swift3.pp: order => '27',
s3token.pp: order => '28',
tempurl.pp: order => '29',
formpost.pp: order => '31',
staticweb.pp: order => '32',
ceilometer.pp: order => '33',
gatekeeper.pp: order => '34',
crossdomain.pp: order => '35',
slo.pp: order => '35',
keystone.pp: order => '79',
account_quotas.pp: order => '80',
container_