diff options
| author | Clay Gerrard <clay.gerrard@gmail.com> | 2015-07-23 22:36:21 -0700 |
|---|---|---|
| committer | John Dickinson <me@not.mn> | 2015-08-26 07:54:02 -0700 |
| commit | 0694e1911d10a18075ff99462c96781372422b2c (patch) | |
| tree | 5228d9166c6745465fc2587eb62dc5de771ce145 /test/functional/tests.py | |
| parent | b7f1768a17d1bf830a387e06a464bae00220b57a (diff) | |
| download | swift-stable/juno.tar.gz | |
Disallow unsafe tempurl operations to point to unauthorized datajuno-eolstable/juno
Do not allow PUT tempurls to create pointers to other data. Specifically
disallow the creation of DLO object manifests by returning an error if a
non-safe tempurl request includes an X-Object-Manifest header regardless of
the value of the header.
This prevents discoverability attacks which can use any PUT tempurl to probe
for private data by creating a DLO object manifest and then using the PUT
tempurl to head the object which would 404 if the prefix does not match any
object data or form a valid DLO HEAD response if it does.
This also prevents a tricky and potentially unexpected consequence of PUT
tempurls which would make it unsafe to allow a user to download objects
created by tempurl (even if they just created them) because the result of
reading the object created via tempurl may not be the data which was uploaded.
[CVE-2015-5223]
Co-Authored-By: Kota Tsuyuzaki <tsuyuzaki.kota@lab.ntt.co.jp>
Closes-Bug: 1453948
Change-Id: I91161dfb0f089c3990aca1b4255b520299ef73c8
Diffstat (limited to 'test/functional/tests.py')
| -rw-r--r-- | test/functional/tests.py | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/test/functional/tests.py b/test/functional/tests.py index e57f22b08..654949f8f 100644 --- a/test/functional/tests.py +++ b/test/functional/tests.py @@ -2687,6 +2687,42 @@ class TestTempurl(Base): self.assert_(new_obj.info(parms=put_parms, cfg={'no_auth_token': True})) + def test_PUT_manifest_access(self): + new_obj = self.env.container.file(Utils.create_name()) + + # give out a signature which allows a PUT to new_obj + expires = int(time.time()) + 86400 + sig = self.tempurl_sig( + 'PUT', expires, self.env.conn.make_path(new_obj.path), + self.env.tempurl_key) + put_parms = {'temp_url_sig': sig, + 'temp_url_expires': str(expires)} + + # try to create manifest pointing to some random container + try: + new_obj.write('', { + 'x-object-manifest': '%s/foo' % 'some_random_container' + }, parms=put_parms, cfg={'no_auth_token': True}) + except ResponseError as e: + self.assertEqual(e.status, 400) + else: + self.fail('request did not error') + + # create some other container + other_container = self.env.account.container(Utils.create_name()) + if not other_container.create(): + raise ResponseError(self.conn.response) + + # try to create manifest pointing to new container + try: + new_obj.write('', { + 'x-object-manifest': '%s/foo' % other_container + }, parms=put_parms, cfg={'no_auth_token': True}) + except ResponseError as e: + self.assertEqual(e.status, 400) + else: + self.fail('request did not error') + def test_HEAD(self): expires = int(time.time()) + 86400 sig = self.tempurl_sig( |