[openstack-dev] [stable] Re: [neutron] the hostname regex pattern fix also changed behaviour :(
Ihar Hrachyshka
ihrachys at redhat.com
Fri Nov 28 11:47:48 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 28/11/14 01:26, Angus Lees wrote:
> Context: https://review.openstack.org/#/c/135616
>
> As far as I can make out, the fix for CVE-2014-7821 removed a backslash
> that effectively disables the negative look-ahead assertion that
> verifies that hostname can't be all-digits. Worse, the new version now
> rejects hostnames where a component starts with a digit.
Thanks for raising the issue!
>
> This certainly addressed the immediate issue of "that regex was
> expensive", but the change in behaviour looks like it was unintended.
> Given that we backported this DoS fix to released versions of neutron,
> what do we want to do about it now?
I don't think we've actually *released* any stable versions with the
patch included, yet (neither Icehouse nor Juno). (Adding [stable] tag to
subject to raise awareness).
I'm adding the mail thread to stable/juno etherpad to track the
backwards incompatibility (probably a blocker for the forthcoming
release): https://etherpad.openstack.org/p/StableJuno
>
> In general this regex is crazy complex for what it verifies. I can't
> see any discussion of where it came from nor precisely what it was
> intended to accept/reject when it was introduced in patch 16 of
> https://review.openstack.org/#/c/14219.
>
> If we're happy disabling the check for components being all-digits, then
> a minimal change to the existing regex that could be backported might be
> something like
> r'(?=^.{1,254}$)(^(?:[a-zA-Z0-9_](?:[a-zA-Z0-9_-]{,61}[a-zA-Z0-9])\.)*(?:[a-zA-Z]{2,})$)'
>
> Alternatively (and clearly preferable for Kilo), Kevin has a replacement
> underway that rewrites this entirely to conform to modern RFCs in
> I003cf14d95070707e43e40d55da62e11a28dfa4e
With the change, will existing instances work as before?
/Ihar
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
iQEcBAEBCgAGBQJUeGDkAAoJEC5aWaUY1u57kG0IAMz0jVCJ3D0gr6rydW/b3niY
tu7rQv/kKwfsmzCiKA8cpGoiGVm/23iwra5wU3oLSLQJDn+6XFBzseYy6F0Vy5+v
D6FUu3/AH5OOj3KeeC7TR500s+eR3kPNYqd/pzNYmpeW7b+yKJZUocgHjuYmiB0e
B4/JygQhox1zFdKOjsHF+x0PCeAc49VwQZkywN97TiFiwOqqr6iC3tmnOPnFbjNV
dwGqlPdiaS0GJ2STDnEJ8XABz8//Q7qwHBwQvM0VSIHkUmDI228crgWImAEClbyG
IIH67vjOJEFyBMRK0fMOqBT1CnUfS/OX7/OFwJVQh6fAyMKrMuXCixPUYQuSUBI=
=NYrv
-----END PGP SIGNATURE-----
More information about the OpenStack-dev
mailing list