diff options
author | Slawek Kaplonski <skaplons@redhat.com> | 2021-08-23 13:01:37 +0200 |
---|---|---|
committer | Bernard Cafarelli <bcafarel@redhat.com> | 2021-09-01 11:35:51 +0000 |
commit | 110fed07cb83deb3abd85073cb351066713b6384 (patch) | |
tree | a17cce2e6f68517144c5e368e0d5d16fb8ce0ef0 | |
parent | 8458e78649a462336d340923d752e418843301cb (diff) | |
download | neutron-110fed07cb83deb3abd85073cb351066713b6384.tar.gz |
Remove dhcp_extra_opt value after first newline character
Passing newline to the dnsmasq may cause security issues, especially
that in case of Neutron that dhcp options' values are controlled by
cloud users.
This patch removes everything what is after first newline character
in the dhcp_extra_opt's values before passing them to dnsmasq.
Conflicts:
neutron/tests/unit/agent/linux/test_dhcp.py
Closes-Bug: #1939733
Change-Id: Ifeaf258f0b5ea86f25620ac4116d618980a7272e
(cherry picked from commit df891f0593d234e01f27d7c0376d9702e178ecfb)
-rw-r--r-- | neutron/agent/linux/dhcp.py | 7 | ||||
-rw-r--r-- | neutron/tests/unit/agent/linux/test_dhcp.py | 7 | ||||
-rw-r--r-- | releasenotes/notes/fix-newline-chars-in-dhcp-extra-options-bf86d30371556d63.yaml | 6 |
3 files changed, 16 insertions, 4 deletions
diff --git a/neutron/agent/linux/dhcp.py b/neutron/agent/linux/dhcp.py index 3114f436b0..67e5cfa045 100644 --- a/neutron/agent/linux/dhcp.py +++ b/neutron/agent/linux/dhcp.py @@ -1153,10 +1153,11 @@ class Dnsmasq(DhcpLocalProcess): else: option = 'option6:%s' % option if extra_tag: - tags = ('tag:' + tag, extra_tag[:-1], '%s' % option) + tags = ['tag:' + tag, extra_tag[:-1], '%s' % option] else: - tags = ('tag:' + tag, '%s' % option) - return ','.join(tags + args) + tags = ['tag:' + tag, '%s' % option] + + return ','.join(tags + [v.split("\n", 1)[0] for v in args]) @staticmethod def _convert_to_literal_addrs(ip_version, ips): diff --git a/neutron/tests/unit/agent/linux/test_dhcp.py b/neutron/tests/unit/agent/linux/test_dhcp.py index c819782da3..0229bb8c47 100644 --- a/neutron/tests/unit/agent/linux/test_dhcp.py +++ b/neutron/tests/unit/agent/linux/test_dhcp.py @@ -225,6 +225,9 @@ class FakeV6PortExtraOpt(object): self.extra_dhcp_opts = [ DhcpOpt(opt_name='dns-server', opt_value='ffea:3ba5:a17a:4ba3::100', + ip_version=6), + DhcpOpt(opt_name='malicious-option', + opt_value='aaa\nbbb.ccc\n', ip_version=6)] @@ -2700,7 +2703,9 @@ class TestDnsmasq(TestBase): exp_opt_data = ('tag:subnet-eeeeeeee-eeee-eeee-eeee-eeeeeeeeeeee,' 'option6:domain-search,openstacklocal\n' 'tag:port-hhhhhhhh-hhhh-hhhh-hhhh-hhhhhhhhhhhh,' - 'option6:dns-server,ffea:3ba5:a17a:4ba3::100').lstrip() + 'option6:dns-server,ffea:3ba5:a17a:4ba3::100\n' + 'tag:port-hhhhhhhh-hhhh-hhhh-hhhh-hhhhhhhhhhhh,' + 'option6:malicious-option,aaa').lstrip() dm = self._get_dnsmasq(FakeV6NetworkStatelessDHCP()) dm._output_hosts_file() dm._output_opts_file() diff --git a/releasenotes/notes/fix-newline-chars-in-dhcp-extra-options-bf86d30371556d63.yaml b/releasenotes/notes/fix-newline-chars-in-dhcp-extra-options-bf86d30371556d63.yaml new file mode 100644 index 0000000000..d2a8c2f68b --- /dev/null +++ b/releasenotes/notes/fix-newline-chars-in-dhcp-extra-options-bf86d30371556d63.yaml @@ -0,0 +1,6 @@ +--- +security: + - | + Fix `bug 1939733 <https://bugs.launchpad.net/neutron/+bug/1939733>`_ by + dropping from the dhcp extra option values everything what is after first + newline (``\n``) character before passing them to the dnsmasq. |