OpenStack Identity (keystone)

auth_token does not quote token to validate

Bug #974319 reported by Chmouel Boudjnah on 2012-04-05

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
OpenStack Identity (keystone)	Won't Fix	Medium	Unassigned
Essex	Invalid	Undecided	Unassigned
python-keystoneclient	Fix Released	Low	Dolph Mathews	python-keystoneclient 0.2.1

Bug Description

When we are sending a bogus token with a space to validate like :

"foo bar"

I am getting this error message :

  File "/opt/stack/swift/swift/common/middleware/catch_errors.py", line 47, in __call__
    return self.app(env, my_start_response)
  File "/opt/stack/swift/swift/common/middleware/healthcheck.py", line 38, in __call__
    return self.app(env, start_response)
  File "/opt/stack/swift/swift/common/middleware/memcache.py", line 47, in __call__
    return self.app(env, start_response)
  File "/opt/stack/swift/swift/common/middleware/swift3.py", line 460, in __call__
    return self.app(env, start_response)
  File "/opt/stack/keystone/keystone/middleware/s3_token.py", line 126, in __call__
    return self.app(environ, start_response)
  File "/opt/stack/keystone/keystone/middleware/auth_token.py", line 174, in __call__
    user_headers = self._build_user_headers(token_info)
  File "/opt/stack/keystone/keystone/middleware/auth_token.py", line 397, in _build_user_headers
    user = token_info['access']['user']
KeyError: 'access' (txn: txfa72e0ad18394a60bcb2fd00a100e7bb)

Reason seems to be because on auth_token.py the token sent to keystone to validate is unquoted and sent as is which come back as a 200.

I am not entirely sure if this is httplib or keystone coming back as 200 here is a snippet describing what i mean :

http://pastie.org/private/ywjzcrawgwdh25nzuma

See the second test (unquote with a space) will return as 200.

Fixing the problem by quoting token before validating in keystone is trivial to fix the problem but I wonder if there is more to that.

Chmouel Boudjnah (chmouel) on 2012-04-05

Changed in keystone:
assignee:	nobody → Chmouel Boudjnah (chmouel)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-04-05: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/6276

Changed in keystone:
status:	New → In Progress

Chmouel Boudjnah (chmouel) on 2012-04-10

tags:

added: essex-backport-potential

Revision history for this message

termie (termie) wrote on 2012-05-03: Re: auh_token does not quote token to validate

i don't fully understand what is going on in the pastie.

it appears in the first test you are sending a valid string but in the second you are sending an invalid one, yet you are claiming that the first one is invalid? or just that the second call should not return a 200?

Dolph Mathews (dolph) on 2012-05-10

summary:

- auh_token does not quote token to validate
+ auth_token does not quote token to validate

Alan Pevec (apevec) on 2012-06-04

tags:

added: essex-backport
removed: essex-backport-potential

Joseph Heck (heckj) on 2012-06-07

Changed in keystone:
importance:	Undecided → Medium

Revision history for this message

Chmouel Boudjnah (chmouel) wrote on 2012-06-08:

It took me a while to track down this and I am not sure I still fully understand this.

So what happen when the client does this kind of request :

GET /v2.0/tokens/foo bar HTTP/1.1
Host: localhost:35357
Accept-Encoding: identity
X-Auth-Token: ADMIN

We are getting a HTML Error message :

http://pastie.org/4052089/text

But for a good query we are getting :

http://pastie.org/pastes/4052093/text

Note that this one is not a HTML error but a standard error.

So when using httplib read that via the function read_status :

http://pastie.org/4052134

at line 11 it tries to do some splitting of the first line to get the http error, still cannot do it on line 14 but cannot do it since we HTTPBaseServer come back with an HTML <head> as the first line, so it goes on until line 27 :

return "HTTP/0.9", 200, ""

and return a 200 error.

It all come down to BaseHttpServer DEFAULT_ERROR_MESSAGE :

# Default error message template
DEFAULT_ERROR_MESSAGE = """\
<head>
<title>Error response</title>
</head>
<body>
<h1>Error response</h1>
<p>Error code %(code)d.
<p>Message: %(message)s.
<p>Error code explanation: %(code)s = %(explain)s.
</body>
"""

which I think should be non html and the %(message)s is XSS vulnerable as well (i.e: http://mail.python.org/pipermail/python-bugs-list/2005-June/029368.html)

so well HTTPBaseServer is buggy and httplib should detect that..

We could maybe try with another library than httplib to validate the token in auth_token.py

Let me know what do you guys think.

Revision history for this message

Chmouel Boudjnah (chmouel) wrote on 2012-06-08:

Oops first pastie should be :

http://pastie.org/pastes/4052089/text

Revision history for this message

Chmouel Boudjnah (chmouel) wrote on 2012-06-14:

Okay according to termie in this review:

https://review.openstack.org/#/c/8455/

this is going to be a wontfix :

probably not worth the trouble of breaking some random old client out there for what is essentially a non-useful fix: httplib's client misinterprets the status after it sends a horrifically deformed request and the server interprets it as http/0.9
i say we tell people who are sending horrifically deformed requests that they are wrong and should be quiet

so somebody with the right rights can please close this bug as WONTFIX.

Changed in keystone:
assignee:	Chmouel Boudjnah (chmouel) → nobody

Revision history for this message

Mark McLoughlin (markmc) wrote on 2012-06-21:

Marked Won't Fix as requested by Chmouel

Changed in keystone:
status:	In Progress → Won't Fix

Alan Pevec (apevec) on 2012-12-13

tags:

removed: essex-backport

OpenStack Infra (hudson-openstack) on 2012-12-13

Changed in python-keystoneclient:
assignee:	nobody → Dolph Mathews (dolph)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-12-13: Fix merged to python-keystoneclient (master)

Reviewed: https://review.openstack.org/18062
Committed: http://github.com/openstack/python-keystoneclient/commit/308a773283a1eece37cb46446ca61a773cc12f42
Submitter: Jenkins
Branch: master

commit 308a773283a1eece37cb46446ca61a773cc12f42
Author: Dolph Mathews <email address hidden>
Date: Thu Dec 13 12:31:06 2012 -0600

URL-encode user-supplied tokens (bug 974319)

Change-Id: I7440f879edb8d61ea2382d5d4a56e32eacce4cfd

Changed in python-keystoneclient:
status:	In Progress → Fix Committed

Dolph Mathews (dolph) on 2013-05-29

Changed in python-keystoneclient:
milestone:	none → 0.2.1
status:	Fix Committed → Fix Released
importance:	Undecided → Low

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.