oslo.middleware

Invalid parsing of Forwarded header (RFC7239)

Bug #1711573 reported by Adam Kijak
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu Cloud Archive
Fix Released
High
Unassigned
Ocata
Fix Released
High
Unassigned
Pike
Fix Released
High
Unassigned
oslo.middleware
Fix Released
Undecided
Adam Kijak
python-oslo.middleware (Ubuntu)
Fix Released
Undecided
Unassigned
Zesty
Fix Committed
Undecided
Unassigned
Artful
Fix Released
Undecided
Unassigned

Bug Description

>>> from oslo_middleware.http_proxy_to_wsgi import HTTPProxyToWSGI
>>> HTTPProxyToWSGI._parse_rfc7239_header("for=192.0.2.60;proto=http, for=192.0.2.60;by=203.0.113.43")
[{'for': '192.0.2.60', 'proto': 'http'}, {' for': '192.0.2.60', 'by': '203.0.113.43'}]
>>>
>>> HTTPProxyToWSGI._parse_rfc7239_header("for=192.0.2.60; proto=http, for=192.0.2.60; by=203.0.113.43")
[{' proto': 'http', 'for': '192.0.2.60'}, {' for': '192.0.2.60', ' by': '203.0.113.43'}]

According to some sources:
https://en.wikipedia.org/wiki/X-Forwarded-For#Alternatives_and_variations
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded

using space after semicolon in Forwarded header is valid, but _parse_rfc7239_header does not parse it properly: note spaces in keys in the dict above.

This affects e.g. Heat when using a proxy+SSL.

Adam Kijak (adam-kijak)
tags: added: proxy wsgi
Adam Kijak (adam-kijak)
Changed in oslo.middleware:
assignee: nobody → Adam Kijak (adam-kijak)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to oslo.middleware (master)

Reviewed: https://review.openstack.org/495172
Committed: https://git.openstack.org/cgit/openstack/oslo.middleware/commit/?id=480d60ac856937e1a48c1ed6df3b7d2e59a974dc
Submitter: Jenkins
Branch: master

commit 480d60ac856937e1a48c1ed6df3b7d2e59a974dc
Author: Adam Kijak <email address hidden>
Date: Fri Aug 18 13:23:10 2017 +0200

    Invalid parsing of Forwarded header fixed

    _parse_rfc7239_header() did not parse properly
    a Forwarded header with additional spaces

    Closes-Bug: #1711573
    Change-Id: Ic8b7f9698d7b3440005b17d249b1c8f0f66dae8a

Changed in oslo.middleware:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to oslo.middleware (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/499470

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to oslo.middleware (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/499471

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to oslo.middleware (stable/pike)

Reviewed: https://review.openstack.org/499470
Committed: https://git.openstack.org/cgit/openstack/oslo.middleware/commit/?id=d9ad4bae1e0d6c43a009d393ac94f7ff50116171
Submitter: Jenkins
Branch: stable/pike

commit d9ad4bae1e0d6c43a009d393ac94f7ff50116171
Author: Adam Kijak <email address hidden>
Date: Fri Aug 18 13:23:10 2017 +0200

    Invalid parsing of Forwarded header fixed

    _parse_rfc7239_header() did not parse properly
    a Forwarded header with additional spaces

    Closes-Bug: #1711573
    Change-Id: Ic8b7f9698d7b3440005b17d249b1c8f0f66dae8a
    (cherry picked from commit 480d60ac856937e1a48c1ed6df3b7d2e59a974dc)

tags: added: in-stable-pike
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to oslo.middleware (stable/ocata)

Reviewed: https://review.openstack.org/499471
Committed: https://git.openstack.org/cgit/openstack/oslo.middleware/commit/?id=74208402c6cadc0fb46379e2f7122eade7998883
Submitter: Jenkins
Branch: stable/ocata

commit 74208402c6cadc0fb46379e2f7122eade7998883
Author: Adam Kijak <email address hidden>
Date: Fri Aug 18 13:23:10 2017 +0200

    Invalid parsing of Forwarded header fixed

    _parse_rfc7239_header() did not parse properly
    a Forwarded header with additional spaces

    Closes-Bug: #1711573
    Change-Id: Ic8b7f9698d7b3440005b17d249b1c8f0f66dae8a
    (cherry picked from commit 480d60ac856937e1a48c1ed6df3b7d2e59a974dc)

tags: added: in-stable-ocata
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/oslo.middleware 3.31.0

This issue was fixed in the openstack/oslo.middleware 3.31.0 release.

Revision history for this message
Corey Bryant (corey.bryant) wrote :

Ubuntu SRU details:

[Description]
See bug description.

[Test Case]
See bug description.

[Regression Potential]
Low. This fix has landed upstream already in master, stable/pike, and stable/ocata branches. The fix is minimal and just strips whitespace.

Revision history for this message
Corey Bryant (corey.bryant) wrote :

I've updloaded new versions of the package to artful (pike) and zesty (ocata).

Corey Bryant (corey.bryant)
Changed in python-oslo.middleware (Ubuntu Zesty):
status: New → Triaged
Changed in python-oslo.middleware (Ubuntu Artful):
status: New → Triaged
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-oslo.middleware - 3.30.0-0ubuntu1.1

---------------
python-oslo.middleware (3.30.0-0ubuntu1.1) artful; urgency=medium

  * d/p/fix-parsing-of-forwarded-header.patch: Fix invalid parsing of
    forwarded header (LP: #1711573).

 -- Corey Bryant <email address hidden> Fri, 22 Sep 2017 09:09:11 -0400

Changed in python-oslo.middleware (Ubuntu Artful):
status: Triaged → Fix Released
Revision history for this message
James Page (james-page) wrote : Please test proposed package

Hello Adam, or anyone else affected,

Accepted python-oslo.middleware into pike-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:pike-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-pike-needed to verification-pike-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-pike-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-pike-needed
Revision history for this message
Brian Murray (brian-murray) wrote :

Hello Adam, or anyone else affected,

Accepted python-oslo.middleware into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/python-oslo.middleware/3.23.1-0ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-zesty to verification-done-zesty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-zesty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in python-oslo.middleware (Ubuntu Zesty):
status: Triaged → Fix Committed
tags: added: verification-needed verification-needed-zesty
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/oslo.middleware 3.30.1

This issue was fixed in the openstack/oslo.middleware 3.30.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/oslo.middleware 3.23.3

This issue was fixed in the openstack/oslo.middleware 3.23.3 release.

Revision history for this message
Ryan Beisner (1chb1n) wrote : Please test proposed package

Hello Adam, or anyone else affected,

Accepted python-oslo.middleware into ocata-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:ocata-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-ocata-needed to verification-ocata-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-ocata-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-ocata-needed
Revision history for this message
Ryan Beisner (1chb1n) wrote : Update Released

The verification of the Stable Release Update for python-oslo.middleware has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Ryan Beisner (1chb1n) wrote :

This bug was fixed in the package python-oslo.middleware - 3.23.1-0ubuntu1.1~cloud0
---------------

 python-oslo.middleware (3.23.1-0ubuntu1.1~cloud0) xenial-ocata; urgency=medium
 .
   * New update for the Ubuntu Cloud Archive.
 .
 python-oslo.middleware (3.23.1-0ubuntu1.1) zesty; urgency=medium
 .
   * d/p/fix-parsing-of-forwarded-header.patch: Fix invalid parsing of
     forwarded header (LP: #1711573).

Revision history for this message
Corey Bryant (corey.bryant) wrote :

OpenStack tempest regression tests have passed successfully against pike-proposed.

pike-proposed with next charms:

======
Totals
======
Ran: 102 tests in 1904.7099 sec.
 - Passed: 93
 - Skipped: 9
 - Expected Fail: 0
 - Unexpected Success: 0
 - Failed: 0
Sum of execute time for each test: 794.0835 sec.

pike-proposed with stable charms:

======
Totals
======
Ran: 102 tests in 1976.6895 sec.
 - Passed: 93
 - Skipped: 9
 - Expected Fail: 0
 - Unexpected Success: 0
 - Failed: 0
Sum of execute time for each test: 854.3158 sec.

tags: added: verification-pike-done
removed: verification-pike-needed
Revision history for this message
Corey Bryant (corey.bryant) wrote :

The verification of the Stable Release Update for python-oslo.middleware has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Corey Bryant (corey.bryant) wrote :

This bug was fixed in the package python-oslo.middleware - 3.30.0-0ubuntu1.1~cloud0
---------------

 python-oslo.middleware (3.30.0-0ubuntu1.1~cloud0) xenial-pike; urgency=medium
 .
   * New update for the Ubuntu Cloud Archive.
 .
 python-oslo.middleware (3.30.0-0ubuntu1.1) artful; urgency=medium
 .
   * d/p/fix-parsing-of-forwarded-header.patch: Fix invalid parsing of
     forwarded header (LP: #1711573).

Revision history for this message
Corey Bryant (corey.bryant) wrote :

Regression testing was successful for xenial-ocata-proposed and zesty-proposed:

xenial-ocata proposed stable charms:

======
Totals
======
Ran: 102 tests in 1742.1837 sec.
 - Passed: 93
 - Skipped: 9
 - Expected Fail: 0
 - Unexpected Success: 0
 - Failed: 0
Sum of execute time for each test: 856.3288 sec.

xenial-ocata proposed dev charms:

======
Totals
======
Ran: 102 tests in 1987.3271 sec.
 - Passed: 93
 - Skipped: 9
 - Expected Fail: 0
 - Unexpected Success: 0
 - Failed: 0
Sum of execute time for each test: 1008.6304 sec.

zesty-ocata proposed stable charms:

======
Totals
======
Ran: 102 tests in 1604.2247 sec.
 - Passed: 93
 - Skipped: 9
 - Expected Fail: 0
 - Unexpected Success: 0
 - Failed: 0
Sum of execute time for each test: 843.3645 sec.

zesty-ocata proposed dev charms:

======
Totals
======
Ran: 102 tests in 1579.9423 sec.
 - Passed: 93
 - Skipped: 9
 - Expected Fail: 0
 - Unexpected Success: 0
 - Failed: 0
Sum of execute time for each test: 867.0801 sec.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.