yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1951429] Re: Neutron API responses should not contain tracebacks

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1951429@xxxxxxxxxxxxxxxxxx>
Date: Wed, 12 Jan 2022 10:39:26 -0000
Reply-to: Bug 1951429 <1951429@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/c/openstack/neutron/+/818391
Committed: https://opendev.org/openstack/neutron/commit/0256e494d029ac18bc6c9fed0fd995283c675075
Submitter: "Zuul (22348)"
Branch:    master

commit 0256e494d029ac18bc6c9fed0fd995283c675075
Author: Bence Romsics <bence.romsics@xxxxxxxxx>
Date:   Thu Nov 18 15:01:20 2021 +0100

    Disable tracebacks of eventlet.wsgi.server
    
    Security folks considered tracebacks in API responses unwanted.
    
    Some additional lower constraints had to be bumped for the
    lower-constraints job to pass.
    
    Change-Id: Ibaefbb9935020318ed670774b0205f3bcffef4ad
    Closes-Bug: #1951429
    Depends-On: https://review.opendev.org/c/openstack/oslo.service/+/818548


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1951429

Title:
  Neutron API responses should not contain tracebacks

Status in neutron:
  Fix Released

Bug description:
  Security folks found some corner cases in the neutron API where the
  response contains a traceback, for example:

  $ curl --request-target foo -k http://127.0.0.1:9696
  Traceback (most recent call last):
    File "/usr/local/lib/python3.8/dist-packages/eventlet/wsgi.py", line 563, in handle_one_response
      result = self.application(self.environ, start_response)
    File "/usr/local/lib/python3.8/dist-packages/paste/urlmap.py", line 208, in __call__
      path_info = self.normalize_url(path_info, False)[1]
    File "/usr/local/lib/python3.8/dist-packages/paste/urlmap.py", line 130, in normalize_url
      assert (not url or url.startswith('/')
  AssertionError: URL fragments must start with / or http:// (you gave 'foo')

  As a developer I don't mind such tracebacks, but I see their point
  that this may give away unwanted information to an attacker. On the
  other hand I would not consider this in itself a vulnerability.

  Pushing a trivial fix in a minute.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1951429/+subscriptions

References

[Bug 1951429] [NEW] Neutron API responses should not contain tracebacks
From: Bence Romsics, 2021-11-18