staticweb reveals container existence when web-listings is disabled

I think it's not a security issues because of the used ACL?

"swift post -r '.r:*,.rlistings' c1" enables reading and listing of the container, so revealing the existence of the container looks fine to me. However, the 404 looks wrong to me in this case - the container listing should be returned (as text/plain, json, or xml).

This patch applies to commit a7af8024 from here https://review.openstack.org/#/c/227204/ (currently in gate queue)

@Christian - the issue is when the ACL is *removed*, a 404 is returned. This step:

 now remove the ACL form the container...

swift@u134:~/swift$ swift post -r '' c1
swift@u134:~/swift$ wget localhost:8080/v1/AUTH_test/c1/
--2015-10-14 16:12:43-- http://localhost:8080/v1/AUTH_test/c1/
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:8080... connected.
HTTP request sent, awaiting response... 404 Not Found
2015-10-14 16:12:43 ERROR 404: Not Found.

# ...ah! staticweb just told us this container exists :(

As a final step to the example above, now set web-listings to true and we get a 401, which is correct, but 404 when web-listings is false is not good.

# this is correct - when web-listings is true we get a 401...

swift@u134:~/swift$ swift post -m 'web-listings: true' c1
swift@u134:~/swift$ wget localhost:8080/v1/AUTH_test/c1/
--2015-10-14 16:40:32-- http://localhost:8080/v1/AUTH_test/c1/
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:8080... connected.
HTTP request sent, awaiting response... 401 Unauthorized

Username/Password Authentication Failed.

Alistair: sorry, you're right of course.

So the reason is that the metadata setting for static web is still there (swift post -m 'web-listings: no' c1). Thus this effects only containers in this special case (web-listings set to no without an ACL); you'll get the error msg "The owner of this web site has disabled web listing" then.

Christian - yep that's the corner case, you set 'web-listings: no', remove the container ACL, but oops, unauth'd GETs will see a 404.

Since this report concerns a possible security risk, an incomplete security advisory task.

It seems like the impact is pretty low, thought on keeping this private ?

To summarize, this bug allows a someone to confirm the existence of a container with no ACL but web-listing true, it doesn't actually provide a means to find containers (short of randomly guessing) nor disclose any contents? If so, this seems more like a security hardening opportunity than something for which we'd issue a security advisory.

@Jeremy, your summary is accurate. If you guess a container name, you could confirm it exists.

I tend to tag as a vulnerability when I am not sure, and then hope that someone wiser will make a judgement:) If containers are randomly named then its hard to guess their names. If they are not, and their names are easy to guess, then does that count as disclosing 'content'? I guess it depends on whether you consider the name of your container to be sensitive information.

I noticed that https://bugs.launchpad.net/swift/+bug/1489749 was made public, so perhaps there is precedent to make this public. Bug 1489749 allowed potentially greater disclosure of information. So on those grounds I wouldn't object to this bug being made public.

Thanks, I've opened this bug and removed the OSSA task.

Fix proposed to branch: master
Review: https://review.openstack.org/248867

Here's a couple more examples of how the existence or not of a container can be revealed to an unauth'd request:

With no trailing '/' on container path and web-listing=no, different response for an existing vs non-existing container:

% swift post -m 'web-listings: no ' c1
% swift post -r '' c1
% curl -X GET localhost:8080/v1/AUTH_test/c1 -is |grep HTTP
HTTP/1.1 301 Moved Permanently
% curl -X GET localhost:8080/v1/AUTH_test/nonexistent -is |grep HTTP
HTTP/1.1 401 Unauthorized

Using x-meta-web header, non-existent containers return a 404, but existing private containers with web-listings=true return a 401:

% swift post -m 'web-listings: yes ' c1
% swift post -r '' c1
% curl -X GET localhost:8080/v1/AUTH_test/c1/ -H 'x-web-mode: true' -is |grep HTTP
HTTP/1.1 401 Unauthorized
% curl -X GET localhost:8080/v1/AUTH_test/nonexistent/ -H 'x-web-mode: true' -is |grep HTTP
HTTP/1.1 404 Not Found

Reviewed: https://review.openstack.org/248867
Committed: https://git.openstack.org/cgit/openstack/swift/commit/?id=75ab3cb78862647644af7eaf5e0fb590e73ae341
Submitter: Jenkins
Branch: master

commit 75ab3cb78862647644af7eaf5e0fb590e73ae341
Author: Alistair Coles <email address hidden>
Date: Wed Oct 14 15:49:35 2015 +0100

    Stop staticweb revealing container existence to unauth'd requests

    When a container has `X-Container-Meta-Web-Listings: false` then
    staticweb will return a 404 in response to a GET or HEAD on the
    container, regardless of whether the request is auth'd. That provides
    a way to probe for container existence. It should return a 401 if the
    request is not auth'd.

    This patch adds a call to swift.authorize before returning the 404.

    Closes-Bug: 1506116
    Change-Id: I382323b49dc8f6d67bf4494db7084a860a10db59

Fix proposed to branch: feature/crypto
Review: https://review.openstack.org/308874

Reviewed: https://review.openstack.org/308874
Committed: https://git.openstack.org/cgit/openstack/swift/commit/?id=bc138e74cc60d94710486365636a5153422e00a3
Submitter: Jenkins
Branch: feature/crypto

commit 7d7eaab5afa4c36f0ac8467784138fc423f6ac4f
Author: OpenStack Proposal Bot <email address hidden>
Date: Mon Apr 18 06:31:34 2016 +0000

    Imported Translations from Zanata

    For more information about this automatic import see:
    https://wiki.openstack.org/wiki/Translations/Infrastructure

    Change-Id: I88be5c9dbb1fcc3a15592d42af7160478308b1f4

commit ca304cd08e9f8d37e4027f2f71dd77ebba3a30f9
Author: Samuel Merritt <email address hidden>
Date: Fri Apr 15 17:22:44 2016 -0700

    Ignore negative suffix-byte-range requests.

    If the client asked for "Range: bytes=--123", Swift would respond with
    a 206 and a Content-Length of -123. Now that Range header is ignored
    just like all kinds of other invalid Range headers.

    Change-Id: I30d4522d223076ce342d20c52f57ff0eb2aea1f4
    Closes-Bug: 1571106

commit 746d928a875281a7154dcd438f46a58bbf656db9
Author: Dmitriy Ukhlov <email address hidden>
Date: Fri Apr 8 16:00:16 2016 +0300

    Adds eventlet monkey patching of select module if thread is pathed

    Oslo.messaging pika driver requires patching of select module if thread
    is patched.
    Pika driver uses select call and if it is not patched onsuming messages
    blocks whole eventlet loop

    Closes-Bug: #1570242
    Change-Id: I9756737309f401ebddb7475eb84725f65bca01bf

commit c96d5c671db9c96f65067d93c0a307cf4b7d91b4
Author: oshritf <email address hidden>
Date: Thu Feb 18 14:50:08 2016 +0200

    Per container stat. report

    In addition to the container sync stat. report, keeping per container
    statistics allows administrator with more control over bytes
    transfered over a specific time per user account: The per container stats
    are crucial for billing purposes and provides the operator a 'progress
    bar' equivalent on the container's replication status.

    Change-Id: Ia8abcdaf53e466e8d60a957c76e32c2b2c5dc3fa

commit be84b03a07892f4972dd59309ad261fc72bd7ede
Author: dharmendra <email address hidden>
Date: Thu Apr 14 16:41:09 2016 +0530

    Removing unused clause

    Removing unused clause from common/middleware/dlo.py

    Change-Id: I7de9aaefd203c4f1be00ee74b89b5184fd419469

commit fb3692c9bb662d9cadc4238920f86676857a7f1f
Author: Tim Burke <email address hidden>
Date: Wed Apr 13 11:07:44 2016 -0700

    Don't include conditional headers in SLO HEAD requests

    Previously, attempting to PUT a SLO manifest with `If-None-Match: *`
    would include the header when validating the segments, causing the
    upload to fail.

    Now when SLO validates segments, no conditional headers will be
    included in the HEAD request.

    Change-Id: I03ad454092d3caa73d29e6d30d8033b45bc96136
    Closes-Bug: #1569253

commit 0e7fca576cee81dd6ca8774760cb880c3fff9c1c
Author: Tin Lam <email address hidden>
Date: Fri Apr 8 18:17:44 2016 -0500

    Convert README.md to README.rst

    Change-Id: I223890bd4ffe469becc2127f9362243cdb52b...

Fix proposed to branch: feature/hummingbird
Review: https://review.openstack.org/323599

Reviewed: https://review.openstack.org/323599
Committed: https://git.openstack.org/cgit/openstack/swift/commit/?id=0330478b70d0a699a0f9c21ef87c7e639d92564b
Submitter: Jenkins
Branch: feature/hummingbird

commit 5fe392b562de3baed080704df433fb392cb4fb31
Author: Ondřej Nový <email address hidden>
Date: Tue May 31 16:25:50 2016 +0200

    Fixed typo

    Change-Id: I7a35c0076360c7a23cf405189828d3c252ec6708

commit b52eccb3b1ea0591f0040587228d3705b5d3f68d
Author: Clay Gerrard <email address hidden>
Date: Wed May 25 11:21:25 2016 -0700

    Clarify overload best practices in admin guide

    Change-Id: Ib7c08bdeab6374771bb8e2b05053e7e16973524d

commit f1fd50723bb84c4941e949895576733f6eb67793
Author: Christian Schwede <email address hidden>
Date: Wed May 25 09:53:31 2016 +0200

    Add dispersion --verbose example to admin guide

    Change-Id: I5f9cacedde2a329332ccf744800b6f2453e8b28e

commit b3ab715c055283ccfea9a504d6da20741d82e7ad
Author: Matthew Oliver <email address hidden>
Date: Wed May 25 14:35:54 2016 +1000

    Add ring-builder dispersion command to admin guide

    This change updates the admin guide to point out the dispersion command
    in swift-ring-builder and mentions the dispersion verbose table to make
    it more obvious to operators.

    Change-Id: I72b4c8b2d718e6063de0fdabbaf4f2b73694e0a4

commit fb7a8e9ab7596a36a6992a3a8f8c6d005a2c2829
Author: Tim Burke <email address hidden>
Date: Tue May 24 13:37:58 2016 -0700

    Add links to mitaka install guides

    Change-Id: I62331923751c521daded4468b5cc5f03655226bc

commit e09c4ee7800e82aa09ca2f6ae375420b766182a4
Author: Tim Burke <email address hidden>
Date: Fri Apr 29 12:12:00 2016 -0500

    Allow concurrent bulk deletes

    Before, server-side deletes of static large objects could take a long
    time to complete since the proxy would wait for a response to each
    segment DELETE before starting the next DELETE request.

    Now, operators can configure a concurrency factor for the slo and bulk
    middlewares to allow up to N concurrent DELETE requests. By default, two
    DELETE requests will be allowed at a time.

    Note that objects and containers are now deleted in separate passes, to
    reduce the likelihood of 409 Conflict responses when deleting
    containers.

    Upgrade Consideration
    =====================
    If operators have enabled the bulk or slo middlewares and would like to
    preserve the prior (single-threaded) DELETE behavior, they must add the
    following line to their [filter:slo] and [filter:bulk] proxy config
    sections:

       delete_concurrency = 1

    This may be done prior to upgrading Swift.

    UpgradeImpact
    Closes-Bug: 1524454
    Change-Id: I128374d74a4cef7a479b221fd15eec785cc4694a

commit 226557afc42c245e050d84162497f46341407ef7
Author: Tim Burke <email address hidden>
Date: Thu May 19 18:55:40 2016 -0700

    Turn on H703, so our translators don't punch us

    Change-Id: I4ce3068f79563e4d4296c6e1078bc12f0cf84c96
    Related-Bug: 1559431

commit 7b706926a8ed5bbcec3a678e868e301c9a6ed8f1
Author: Alistair Coles <email address hidden>
Date: Mon May ...

This issue was fixed in the openstack/swift 2.8.0 release.