yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1036343] Re: Validation of Timestamp/Expires for ec2 query parameters is not correct

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Thu, 04 Apr 2013 12:43:07 -0000
Reply-to: Bug 1036343 <1036343@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: oslo/grizzly
       Status: New => Fix Released

** Changed in: oslo/grizzly
    Milestone: None => 2013.1

** Changed in: oslo/grizzly
     Assignee: (unassigned) => Sirisha Devineni (sirisha-devineni)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1036343

Title:
  Validation of Timestamp/Expires for ec2 query parameters is not
  correct

Status in OpenStack Compute (Nova):
  Fix Released
Status in Oslo - a Library of Common OpenStack Code:
  Fix Released
Status in oslo grizzly series:
  Fix Released

Bug description:
  It doesn't appear that the the Timestamp query parameter for ec2
  requests is completely validated or used. Looking at the class
  "Requestify" in ../nova/api/ec2/__init__.py There are several
  potential issues:

  1. Only Timestamp is tested for, but Expires isn't.
  2. The format of the Timestamp is not tested for.
  3. The value of the Timestamp is not tested to be within some time delta.

  The AWS documentation states at this link

      http://docs.amazonwebservices.com/AWSEC2/latest/APIReference
  /Query-Common-Parameters.html

  "Requests must include either Timestamp or Expires, but cannot contain
  both" and "The date and time at which the request is signed, in the
  format YYYY-MM-DDThh:mm:ssZ" which addresses points 1 and 2 above.

  The AWS documentation at this link and others

  http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/Error_Messages.html

  states,

  "Why do I get keep getting "Request has expired" errors?

  To reduce the risk of replay attacks, our requests include a
  timestamp. This and the most important parts of the request are signed
  to ensure the message (including the timestamp) cannot be modified
  without detection.

  If the difference between the timestamp in the request and the time on
  our servers is larger than 5 minutes, the request is too old (or too
  new) and an error is returned.

  You need to ensure that your system clock is accurate and configured
  to use the correct time zone. For more information, go to NTP."

  Looking at the code in Requestify and searching the rest of the code
  base for use of "Timestamp" I don't any places where Timestamp is used
  or tested. It seems like this is a potential security related issue.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1036343/+subscriptions