OpenStack Object Storage (swift)

Swift uses the insecure MD5 algorithm in etag and content-md5 and image checksum.

Bug #1942269 reported by Kevin Li
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Object Storage (swift)
New
Undecided
Unassigned

Bug Description

High level description: Swift uses the insecure MD5 algorithm in etag and content-md5.SHA256, SHA512, or other more secure algorithms should be used.
  Pre-conditions: NA
  Step-by-step reproduction steps: NA
  Expected output: NA
  Actual output: NA

Version: Train

Environment: NA

Perceived severity: NA

Tags (Affected component): NA
Attachments: Swift uses the insecure MD5 algorithm in etag and content-md5 and image checksum.

For example:
swift/common/middleware/dlo.py:332
response_headers = [(h, v) for h, v in response_headers
                    if h.lower() != "etag"]
etag = md5()
for seg_dict in segments:
    etag.update(seg_dict['hash'].strip('"').encode('utf8'))
response_headers.append(('Etag', '"%s"' % etag.hexdigest()))

swift.common.middleware.s3api.s3request.S3Request.check_md5
def check_md5(self, body):
    if 'HTTP_CONTENT_MD5' not in self.environ:
        raise InvalidRequest('Missing required header for this request: '
                             'Content-MD5')

    digest = base64.b64encode(md5(body).digest()).strip().decode('ascii')
    if self.environ['HTTP_CONTENT_MD5'] != digest:
        raise BadDigest(content_md5=self.environ['HTTP_CONTENT_MD5'])

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.