diff options
Diffstat (limited to 'dev-python/oslo-middleware/files/cve-2017-2592-stable-newton.patch')
| -rw-r--r-- | dev-python/oslo-middleware/files/cve-2017-2592-stable-newton.patch | 90 |
1 files changed, 90 insertions, 0 deletions
diff --git a/dev-python/oslo-middleware/files/cve-2017-2592-stable-newton.patch b/dev-python/oslo-middleware/files/cve-2017-2592-stable-newton.patch new file mode 100644 index 000000000000..b38cd597c3d4 --- /dev/null +++ b/dev-python/oslo-middleware/files/cve-2017-2592-stable-newton.patch @@ -0,0 +1,90 @@ +From 095e90929d114e4b6cece67cb405741c14747356 Mon Sep 17 00:00:00 2001 +From: Jamie Lennox <jamielennox@gmail.com> +Date: Wed, 28 Sep 2016 15:03:53 +1000 +Subject: [PATCH] Filter token data out of catch_errors middleware + +If an exception is caught by the catch_errors middleware the entire +request is dumped into the log including sensitive information like +tokens. Filter that information before outputting the failed request. + +Closes-Bug: #1628031 +Change-Id: I2563403993513c37751576223275350cac2e0937 +--- + oslo_middleware/catch_errors.py | 6 +++++- + oslo_middleware/tests/test_catch_errors.py | 25 +++++++++++++++++++++++++ + 2 files changed, 30 insertions(+), 1 deletion(-) + +diff --git a/oslo_middleware/catch_errors.py b/oslo_middleware/catch_errors.py +index 43d085f..0934fc5 100644 +--- a/oslo_middleware/catch_errors.py ++++ b/oslo_middleware/catch_errors.py +@@ -14,6 +14,7 @@ + # under the License. + + import logging ++import re + + import webob.dec + import webob.exc +@@ -24,6 +25,8 @@ from oslo_middleware import base + + LOG = logging.getLogger(__name__) + ++_TOKEN_RE = re.compile('^(X-\w+-Token):.*$', flags=re.MULTILINE) ++ + + class CatchErrors(base.ConfigurableMiddleware): + """Middleware that provides high-level error handling. +@@ -37,7 +40,8 @@ class CatchErrors(base.ConfigurableMiddleware): + try: + response = req.get_response(self.application) + except Exception: ++ req_str = _TOKEN_RE.sub(r'\1: <removed>', req.as_text()) + LOG.exception(_LE('An error occurred during ' +- 'processing the request: %s'), req) ++ 'processing the request: %s'), req_str) + response = webob.exc.HTTPInternalServerError() + return response +diff --git a/oslo_middleware/tests/test_catch_errors.py b/oslo_middleware/tests/test_catch_errors.py +index 920bbe2..0b675e2 100644 +--- a/oslo_middleware/tests/test_catch_errors.py ++++ b/oslo_middleware/tests/test_catch_errors.py +@@ -13,6 +13,7 @@ + # License for the specific language governing permissions and limitations + # under the License. + ++import fixtures + import mock + from oslotest import base as test_base + import webob.dec +@@ -45,3 +46,27 @@ class CatchErrorsTest(test_base.BaseTestCase): + self._test_has_request_id(application, + webob.exc.HTTPInternalServerError.code) + self.assertEqual(1, log_exc.call_count) ++ ++ def test_filter_tokens_from_log(self): ++ logger = self.useFixture(fixtures.FakeLogger(nuke_handlers=False)) ++ ++ @webob.dec.wsgify ++ def application(req): ++ raise Exception() ++ ++ app = catch_errors.CatchErrors(application) ++ req = webob.Request.blank('/test', ++ text=u'test data', ++ method='POST', ++ headers={'X-Auth-Token': 'secret1', ++ 'X-Service-Token': 'secret2', ++ 'X-Other-Token': 'secret3'}) ++ res = req.get_response(app) ++ self.assertEqual(500, res.status_int) ++ ++ output = logger.output ++ ++ self.assertIn('X-Auth-Token: <removed>', output) ++ self.assertIn('X-Service-Token: <removed>', output) ++ self.assertIn('X-Other-Token: <removed>', output) ++ self.assertIn('test data', output) +-- +2.7.4 + |