yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1951429] [NEW] Neutron API responses should not contain tracebacks

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Bence Romsics <1951429@xxxxxxxxxxxxxxxxxx>
Date: Thu, 18 Nov 2021 14:11:22 -0000
Reply-to: Bug 1951429 <1951429@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Public bug reported:

Security folks found some corner cases in the neutron API where the
response contains a traceback, for example:

$ curl --request-target foo -k http://127.0.0.1:9696
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/dist-packages/eventlet/wsgi.py", line 563, in handle_one_response
    result = self.application(self.environ, start_response)
  File "/usr/local/lib/python3.8/dist-packages/paste/urlmap.py", line 208, in __call__
    path_info = self.normalize_url(path_info, False)[1]
  File "/usr/local/lib/python3.8/dist-packages/paste/urlmap.py", line 130, in normalize_url
    assert (not url or url.startswith('/')
AssertionError: URL fragments must start with / or http:// (you gave 'foo')

As a developer I don't mind such tracebacks, but I see their point that
this may give away unwanted information to an attacker. On the other
hand I would not consider this in itself a vulnerability.

Pushing a trivial fix in a minute.

** Affects: neutron
     Importance: Low
     Assignee: Bence Romsics (bence-romsics)
         Status: In Progress


** Tags: api

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1951429

Title:
  Neutron API responses should not contain tracebacks

Status in neutron:
  In Progress

Bug description:
  Security folks found some corner cases in the neutron API where the
  response contains a traceback, for example:

  $ curl --request-target foo -k http://127.0.0.1:9696
  Traceback (most recent call last):
    File "/usr/local/lib/python3.8/dist-packages/eventlet/wsgi.py", line 563, in handle_one_response
      result = self.application(self.environ, start_response)
    File "/usr/local/lib/python3.8/dist-packages/paste/urlmap.py", line 208, in __call__
      path_info = self.normalize_url(path_info, False)[1]
    File "/usr/local/lib/python3.8/dist-packages/paste/urlmap.py", line 130, in normalize_url
      assert (not url or url.startswith('/')
  AssertionError: URL fragments must start with / or http:// (you gave 'foo')

  As a developer I don't mind such tracebacks, but I see their point
  that this may give away unwanted information to an attacker. On the
  other hand I would not consider this in itself a vulnerability.

  Pushing a trivial fix in a minute.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1951429/+subscriptions

Follow ups

[Bug 1951429] Re: Neutron API responses should not contain tracebacks
From: OpenStack Infra, 2022-01-12