1 |
commit: ad8a82887a3e612cae719a7ce6219f9ee760fc66 |
2 |
Author: Matthew Thode <prometheanfire <AT> gentoo <DOT> org> |
3 |
AuthorDate: Thu Jan 26 21:40:53 2017 +0000 |
4 |
Commit: Matt Thode <prometheanfire <AT> gentoo <DOT> org> |
5 |
CommitDate: Thu Jan 26 21:43:41 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ad8a8288 |
7 |
|
8 |
dev-python/oslo-middleware: fix CVE-2017-2592 bug 606976 |
9 |
|
10 |
Package-Manager: portage-2.3.3 |
11 |
|
12 |
.../files/cve-2017-2592-stable-mitaka.patch | 90 ++++++++++++++++++++++ |
13 |
.../files/cve-2017-2592-stable-newton.patch | 90 ++++++++++++++++++++++ |
14 |
.../oslo-middleware-3.19.0-r1.ebuild | 59 ++++++++++++++ |
15 |
.../oslo-middleware-3.8.0-r2.ebuild | 60 +++++++++++++++ |
16 |
4 files changed, 299 insertions(+) |
17 |
|
18 |
diff --git a/dev-python/oslo-middleware/files/cve-2017-2592-stable-mitaka.patch b/dev-python/oslo-middleware/files/cve-2017-2592-stable-mitaka.patch |
19 |
new file mode 100644 |
20 |
index 00000000..b38cd59 |
21 |
--- /dev/null |
22 |
+++ b/dev-python/oslo-middleware/files/cve-2017-2592-stable-mitaka.patch |
23 |
@@ -0,0 +1,90 @@ |
24 |
+From 095e90929d114e4b6cece67cb405741c14747356 Mon Sep 17 00:00:00 2001 |
25 |
+From: Jamie Lennox <jamielennox@×××××.com> |
26 |
+Date: Wed, 28 Sep 2016 15:03:53 +1000 |
27 |
+Subject: [PATCH] Filter token data out of catch_errors middleware |
28 |
+ |
29 |
+If an exception is caught by the catch_errors middleware the entire |
30 |
+request is dumped into the log including sensitive information like |
31 |
+tokens. Filter that information before outputting the failed request. |
32 |
+ |
33 |
+Closes-Bug: #1628031 |
34 |
+Change-Id: I2563403993513c37751576223275350cac2e0937 |
35 |
+--- |
36 |
+ oslo_middleware/catch_errors.py | 6 +++++- |
37 |
+ oslo_middleware/tests/test_catch_errors.py | 25 +++++++++++++++++++++++++ |
38 |
+ 2 files changed, 30 insertions(+), 1 deletion(-) |
39 |
+ |
40 |
+diff --git a/oslo_middleware/catch_errors.py b/oslo_middleware/catch_errors.py |
41 |
+index 43d085f..0934fc5 100644 |
42 |
+--- a/oslo_middleware/catch_errors.py |
43 |
++++ b/oslo_middleware/catch_errors.py |
44 |
+@@ -14,6 +14,7 @@ |
45 |
+ # under the License. |
46 |
+ |
47 |
+ import logging |
48 |
++import re |
49 |
+ |
50 |
+ import webob.dec |
51 |
+ import webob.exc |
52 |
+@@ -24,6 +25,8 @@ from oslo_middleware import base |
53 |
+ |
54 |
+ LOG = logging.getLogger(__name__) |
55 |
+ |
56 |
++_TOKEN_RE = re.compile('^(X-\w+-Token):.*$', flags=re.MULTILINE) |
57 |
++ |
58 |
+ |
59 |
+ class CatchErrors(base.ConfigurableMiddleware): |
60 |
+ """Middleware that provides high-level error handling. |
61 |
+@@ -37,7 +40,8 @@ class CatchErrors(base.ConfigurableMiddleware): |
62 |
+ try: |
63 |
+ response = req.get_response(self.application) |
64 |
+ except Exception: |
65 |
++ req_str = _TOKEN_RE.sub(r'\1: <removed>', req.as_text()) |
66 |
+ LOG.exception(_LE('An error occurred during ' |
67 |
+- 'processing the request: %s'), req) |
68 |
++ 'processing the request: %s'), req_str) |
69 |
+ response = webob.exc.HTTPInternalServerError() |
70 |
+ return response |
71 |
+diff --git a/oslo_middleware/tests/test_catch_errors.py b/oslo_middleware/tests/test_catch_errors.py |
72 |
+index 920bbe2..0b675e2 100644 |
73 |
+--- a/oslo_middleware/tests/test_catch_errors.py |
74 |
++++ b/oslo_middleware/tests/test_catch_errors.py |
75 |
+@@ -13,6 +13,7 @@ |
76 |
+ # License for the specific language governing permissions and limitations |
77 |
+ # under the License. |
78 |
+ |
79 |
++import fixtures |
80 |
+ import mock |
81 |
+ from oslotest import base as test_base |
82 |
+ import webob.dec |
83 |
+@@ -45,3 +46,27 @@ class CatchErrorsTest(test_base.BaseTestCase): |
84 |
+ self._test_has_request_id(application, |
85 |
+ webob.exc.HTTPInternalServerError.code) |
86 |
+ self.assertEqual(1, log_exc.call_count) |
87 |
++ |
88 |
++ def test_filter_tokens_from_log(self): |
89 |
++ logger = self.useFixture(fixtures.FakeLogger(nuke_handlers=False)) |
90 |
++ |
91 |
++ @webob.dec.wsgify |
92 |
++ def application(req): |
93 |
++ raise Exception() |
94 |
++ |
95 |
++ app = catch_errors.CatchErrors(application) |
96 |
++ req = webob.Request.blank('/test', |
97 |
++ text=u'test data', |
98 |
++ method='POST', |
99 |
++ headers={'X-Auth-Token': 'secret1', |
100 |
++ 'X-Service-Token': 'secret2', |
101 |
++ 'X-Other-Token': 'secret3'}) |
102 |
++ res = req.get_response(app) |
103 |
++ self.assertEqual(500, res.status_int) |
104 |
++ |
105 |
++ output = logger.output |
106 |
++ |
107 |
++ self.assertIn('X-Auth-Token: <removed>', output) |
108 |
++ self.assertIn('X-Service-Token: <removed>', output) |
109 |
++ self.assertIn('X-Other-Token: <removed>', output) |
110 |
++ self.assertIn('test data', output) |
111 |
+-- |
112 |
+2.7.4 |
113 |
+ |
114 |
|
115 |
diff --git a/dev-python/oslo-middleware/files/cve-2017-2592-stable-newton.patch b/dev-python/oslo-middleware/files/cve-2017-2592-stable-newton.patch |
116 |
new file mode 100644 |
117 |
index 00000000..b38cd59 |
118 |
--- /dev/null |
119 |
+++ b/dev-python/oslo-middleware/files/cve-2017-2592-stable-newton.patch |
120 |
@@ -0,0 +1,90 @@ |
121 |
+From 095e90929d114e4b6cece67cb405741c14747356 Mon Sep 17 00:00:00 2001 |
122 |
+From: Jamie Lennox <jamielennox@×××××.com> |
123 |
+Date: Wed, 28 Sep 2016 15:03:53 +1000 |
124 |
+Subject: [PATCH] Filter token data out of catch_errors middleware |
125 |
+ |
126 |
+If an exception is caught by the catch_errors middleware the entire |
127 |
+request is dumped into the log including sensitive information like |
128 |
+tokens. Filter that information before outputting the failed request. |
129 |
+ |
130 |
+Closes-Bug: #1628031 |
131 |
+Change-Id: I2563403993513c37751576223275350cac2e0937 |
132 |
+--- |
133 |
+ oslo_middleware/catch_errors.py | 6 +++++- |
134 |
+ oslo_middleware/tests/test_catch_errors.py | 25 +++++++++++++++++++++++++ |
135 |
+ 2 files changed, 30 insertions(+), 1 deletion(-) |
136 |
+ |
137 |
+diff --git a/oslo_middleware/catch_errors.py b/oslo_middleware/catch_errors.py |
138 |
+index 43d085f..0934fc5 100644 |
139 |
+--- a/oslo_middleware/catch_errors.py |
140 |
++++ b/oslo_middleware/catch_errors.py |
141 |
+@@ -14,6 +14,7 @@ |
142 |
+ # under the License. |
143 |
+ |
144 |
+ import logging |
145 |
++import re |
146 |
+ |
147 |
+ import webob.dec |
148 |
+ import webob.exc |
149 |
+@@ -24,6 +25,8 @@ from oslo_middleware import base |
150 |
+ |
151 |
+ LOG = logging.getLogger(__name__) |
152 |
+ |
153 |
++_TOKEN_RE = re.compile('^(X-\w+-Token):.*$', flags=re.MULTILINE) |
154 |
++ |
155 |
+ |
156 |
+ class CatchErrors(base.ConfigurableMiddleware): |
157 |
+ """Middleware that provides high-level error handling. |
158 |
+@@ -37,7 +40,8 @@ class CatchErrors(base.ConfigurableMiddleware): |
159 |
+ try: |
160 |
+ response = req.get_response(self.application) |
161 |
+ except Exception: |
162 |
++ req_str = _TOKEN_RE.sub(r'\1: <removed>', req.as_text()) |
163 |
+ LOG.exception(_LE('An error occurred during ' |
164 |
+- 'processing the request: %s'), req) |
165 |
++ 'processing the request: %s'), req_str) |
166 |
+ response = webob.exc.HTTPInternalServerError() |
167 |
+ return response |
168 |
+diff --git a/oslo_middleware/tests/test_catch_errors.py b/oslo_middleware/tests/test_catch_errors.py |
169 |
+index 920bbe2..0b675e2 100644 |
170 |
+--- a/oslo_middleware/tests/test_catch_errors.py |
171 |
++++ b/oslo_middleware/tests/test_catch_errors.py |
172 |
+@@ -13,6 +13,7 @@ |
173 |
+ # License for the specific language governing permissions and limitations |
174 |
+ # under the License. |
175 |
+ |
176 |
++import fixtures |
177 |
+ import mock |
178 |
+ from oslotest import base as test_base |
179 |
+ import webob.dec |
180 |
+@@ -45,3 +46,27 @@ class CatchErrorsTest(test_base.BaseTestCase): |
181 |
+ self._test_has_request_id(application, |
182 |
+ webob.exc.HTTPInternalServerError.code) |
183 |
+ self.assertEqual(1, log_exc.call_count) |
184 |
++ |
185 |
++ def test_filter_tokens_from_log(self): |
186 |
++ logger = self.useFixture(fixtures.FakeLogger(nuke_handlers=False)) |
187 |
++ |
188 |
++ @webob.dec.wsgify |
189 |
++ def application(req): |
190 |
++ raise Exception() |
191 |
++ |
192 |
++ app = catch_errors.CatchErrors(application) |
193 |
++ req = webob.Request.blank('/test', |
194 |
++ text=u'test data', |
195 |
++ method='POST', |
196 |
++ headers={'X-Auth-Token': 'secret1', |
197 |
++ 'X-Service-Token': 'secret2', |
198 |
++ 'X-Other-Token': 'secret3'}) |
199 |
++ res = req.get_response(app) |
200 |
++ self.assertEqual(500, res.status_int) |
201 |
++ |
202 |
++ output = logger.output |
203 |
++ |
204 |
++ self.assertIn('X-Auth-Token: <removed>', output) |
205 |
++ self.assertIn('X-Service-Token: <removed>', output) |
206 |
++ self.assertIn('X-Other-Token: <removed>', output) |
207 |
++ self.assertIn('test data', output) |
208 |
+-- |
209 |
+2.7.4 |
210 |
+ |
211 |
|
212 |
diff --git a/dev-python/oslo-middleware/oslo-middleware-3.19.0-r1.ebuild b/dev-python/oslo-middleware/oslo-middleware-3.19.0-r1.ebuild |
213 |
new file mode 100644 |
214 |
index 00000000..062868e |
215 |
--- /dev/null |
216 |
+++ b/dev-python/oslo-middleware/oslo-middleware-3.19.0-r1.ebuild |
217 |
@@ -0,0 +1,59 @@ |
218 |
+# Copyright 1999-2017 Gentoo Foundation |
219 |
+# Distributed under the terms of the GNU General Public License v2 |
220 |
+# $Id$ |
221 |
+ |
222 |
+EAPI=6 |
223 |
+PYTHON_COMPAT=( python2_7 python3_4 python3_5 ) |
224 |
+ |
225 |
+inherit distutils-r1 |
226 |
+ |
227 |
+DESCRIPTION="Components injected into wsgi pipelines to intercept request/response flows." |
228 |
+HOMEPAGE="https://pypi.python.org/pypi/oslo.middleware" |
229 |
+SRC_URI="mirror://pypi/${PN:0:1}/oslo.middleware/oslo.middleware-${PV}.tar.gz" |
230 |
+S="${WORKDIR}/oslo.middleware-${PV}" |
231 |
+ |
232 |
+LICENSE="Apache-2.0" |
233 |
+SLOT="0" |
234 |
+KEYWORDS="~amd64 ~arm64 ~x86" |
235 |
+IUSE="test" |
236 |
+ |
237 |
+PATCHES=( "${FILESDIR}/cve-2017-2592-stable-newton.patch" ) |
238 |
+ |
239 |
+CDEPEND=" |
240 |
+ >=dev-python/pbr-1.6[${PYTHON_USEDEP}] |
241 |
+ <dev-python/pbr-2.0[${PYTHON_USEDEP}]" |
242 |
+DEPEND="dev-python/setuptools[${PYTHON_USEDEP}] |
243 |
+ ${CDEPEND} |
244 |
+ test? ( |
245 |
+ >=dev-python/fixtures-3.0.0[${PYTHON_USEDEP}] |
246 |
+ >=dev-python/mock-2.0.0[${PYTHON_USEDEP}] |
247 |
+ >=dev-python/oslo-sphinx-2.5.0[${PYTHON_USEDEP}] |
248 |
+ !~dev-python/oslo-sphinx-3.4.0[${PYTHON_USEDEP}] |
249 |
+ >=dev-python/oslotest-1.10.0[${PYTHON_USEDEP}] |
250 |
+ >=dev-python/sphinx-1.1.2[${PYTHON_USEDEP}] |
251 |
+ !~dev-python/sphinx-1.2.0[${PYTHON_USEDEP}] |
252 |
+ <dev-python/sphinx-1.3.0[${PYTHON_USEDEP}] |
253 |
+ >=dev-python/testtools-1.4.0[${PYTHON_USEDEP}] |
254 |
+ >=dev-python/coverage-3.6[${PYTHON_USEDEP}] |
255 |
+ )" |
256 |
+RDEPEND=" |
257 |
+ ${CDEPEND} |
258 |
+ >=dev-python/jinja-2.8[${PYTHON_USEDEP}] |
259 |
+ >=dev-python/oslo-config-3.14.0[${PYTHON_USEDEP}] |
260 |
+ >=dev-python/oslo-context-2.9.0[${PYTHON_USEDEP}] |
261 |
+ >=dev-python/oslo-i18n-2.1.0[${PYTHON_USEDEP}] |
262 |
+ >=dev-python/oslo-utils-3.16.0[${PYTHON_USEDEP}] |
263 |
+ >=dev-python/six-1.9.0[${PYTHON_USEDEP}] |
264 |
+ >=dev-python/stevedore-1.16.0[${PYTHON_USEDEP}] |
265 |
+ >=dev-python/webob-1.2.3[${PYTHON_USEDEP}] |
266 |
+ >=dev-python/debtcollector-1.2.0[${PYTHON_USEDEP}] |
267 |
+" |
268 |
+ |
269 |
+python_prepare_all() { |
270 |
+ sed -i '/^hacking/d' test-requirements.txt || die |
271 |
+ distutils-r1_python_prepare_all |
272 |
+} |
273 |
+ |
274 |
+python_test() { |
275 |
+ nosetests tests/ || die "test failed under ${EPYTHON}" |
276 |
+} |
277 |
|
278 |
diff --git a/dev-python/oslo-middleware/oslo-middleware-3.8.0-r2.ebuild b/dev-python/oslo-middleware/oslo-middleware-3.8.0-r2.ebuild |
279 |
new file mode 100644 |
280 |
index 00000000..1a7e55b |
281 |
--- /dev/null |
282 |
+++ b/dev-python/oslo-middleware/oslo-middleware-3.8.0-r2.ebuild |
283 |
@@ -0,0 +1,60 @@ |
284 |
+# Copyright 1999-2017 Gentoo Foundation |
285 |
+# Distributed under the terms of the GNU General Public License v2 |
286 |
+# $Id$ |
287 |
+ |
288 |
+EAPI=5 |
289 |
+PYTHON_COMPAT=( python2_7 python3_4 python3_5 ) |
290 |
+ |
291 |
+inherit distutils-r1 |
292 |
+ |
293 |
+DESCRIPTION="Components injected into wsgi pipelines to intercept request/response flows." |
294 |
+HOMEPAGE="https://pypi.python.org/pypi/oslo.middleware" |
295 |
+SRC_URI="mirror://pypi/${PN:0:1}/oslo.middleware/oslo.middleware-${PV}.tar.gz" |
296 |
+S="${WORKDIR}/oslo.middleware-${PV}" |
297 |
+ |
298 |
+LICENSE="Apache-2.0" |
299 |
+SLOT="0" |
300 |
+KEYWORDS="~amd64 ~arm64 ~x86" |
301 |
+IUSE="test" |
302 |
+ |
303 |
+FILES=( "${FILESDIR}/cve-2017-2592-stable-mitaka.patch" ) |
304 |
+ |
305 |
+CDEPEND=" |
306 |
+ >=dev-python/pbr-1.6[${PYTHON_USEDEP}] |
307 |
+ <dev-python/pbr-2.0[${PYTHON_USEDEP}]" |
308 |
+DEPEND="dev-python/setuptools[${PYTHON_USEDEP}] |
309 |
+ ${CDEPEND} |
310 |
+ test? ( |
311 |
+ >=dev-python/fixtures-1.3.1[${PYTHON_USEDEP}] |
312 |
+ >=dev-python/mock-1.2[${PYTHON_USEDEP}] |
313 |
+ >=dev-python/oslo-sphinx-2.5.0[${PYTHON_USEDEP}] |
314 |
+ !~dev-python/oslo-sphinx-3.4.0[${PYTHON_USEDEP}] |
315 |
+ >=dev-python/oslotest-1.10.0[${PYTHON_USEDEP}] |
316 |
+ >=dev-python/sphinx-1.1.2[${PYTHON_USEDEP}] |
317 |
+ !~dev-python/sphinx-1.2.0[${PYTHON_USEDEP}] |
318 |
+ <dev-python/sphinx-1.3.0[${PYTHON_USEDEP}] |
319 |
+ >=dev-python/testtools-1.4.0[${PYTHON_USEDEP}] |
320 |
+ >=dev-python/coverage-3.6[${PYTHON_USEDEP}] |
321 |
+ )" |
322 |
+RDEPEND=" |
323 |
+ ${CDEPEND} |
324 |
+ >=dev-python/Babel-1.3[${PYTHON_USEDEP}] |
325 |
+ >=dev-python/jinja-2.8[${PYTHON_USEDEP}] |
326 |
+ >=dev-python/oslo-config-3.7.0[${PYTHON_USEDEP}] |
327 |
+ >=dev-python/oslo-context-0.2.0[${PYTHON_USEDEP}] |
328 |
+ >=dev-python/oslo-i18n-2.1.0[${PYTHON_USEDEP}] |
329 |
+ >=dev-python/oslo-utils-3.5.0[${PYTHON_USEDEP}] |
330 |
+ >=dev-python/six-1.9.0[${PYTHON_USEDEP}] |
331 |
+ >=dev-python/stevedore-1.5.0[${PYTHON_USEDEP}] |
332 |
+ >=dev-python/webob-1.2.3[${PYTHON_USEDEP}] |
333 |
+ >=dev-python/debtcollector-1.2.0[${PYTHON_USEDEP}] |
334 |
+" |
335 |
+ |
336 |
+python_prepare_all() { |
337 |
+ sed -i '/^hacking/d' test-requirements.txt || die |
338 |
+ distutils-r1_python_prepare_all |
339 |
+} |
340 |
+ |
341 |
+python_test() { |
342 |
+ nosetests tests/ || die "test failed under ${EPYTHON}" |
343 |
+} |