[Openstack-security] [Bug 1471158] Re: Incorrect regular expressions used for schema validation

Tristan Cacqueray tdecacqu at redhat.com
Thu Dec 3 16:38:14 UTC 2015 

Oups, designate vulnerabilities are not managed by the vmt, thus I
closed the OSSA task.

However, should this get a CVE afterall ?

** Changed in: ossa
       Status: Incomplete => Won't Fix

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1471158

Title:
  Incorrect regular expressions used for schema validation

Status in Designate:
  Fix Released
Status in Designate juno series:
  Fix Committed
Status in Designate kilo series:
  Fix Committed
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  The regular expressions listed in designate/schema/format.py allow
  trailing "\n" characters because "$" matches "\n" at the end of the
  string.

  Submitting a record creation request with "name" ending with "\n"
  currently results in an internal server, with the following traceback
  in the log file:

  Traceback (most recent call last):
    File "/usr/lib/python2.7/site-packages/oslo_messaging/rpc/dispatcher.py", line 142, in _dispatch_and_reply
      executor_callback))
    File "/usr/lib/python2.7/site-packages/designate/rpc.py", line 178, in _dispatch
      return super(RPCDispatcher, self)._dispatch(*args, **kwds)
    File "/usr/lib/python2.7/site-packages/oslo_messaging/rpc/dispatcher.py", line 186, in _dispatch
      executor_callback)
    File "/usr/lib/python2.7/site-packages/oslo_messaging/rpc/dispatcher.py", line 130, in _do_dispatch
      result = func(ctxt, **new_args)
    File "/usr/lib/python2.7/site-packages/designate/central/service.py", line 220, in wrapper
      result = f(self, *args, **kwargs)
    File "/usr/lib/python2.7/site-packages/designate/central/service.py", line 194, in wrapper
      result = f(self, *args, **kwargs)
    File "/usr/lib/python2.7/site-packages/designate/central/service.py", line 1119, in create_recordset
      context, domain, recordset, increment_serial=increment_serial)
    File "/usr/lib/python2.7/site-packages/designate/central/service.py", line 84, in wrapper
      **copy.deepcopy(kwargs))
    File "/usr/lib/python2.7/site-packages/designate/central/service.py", line 123, in wrapper
      self.storage.rollback()
    File "/usr/lib/python2.7/site-packages/oslo_utils/excutils.py", line 119, in __exit__
      six.reraise(self.type_, self.value, self.tb)
    File "/usr/lib/python2.7/site-packages/designate/central/service.py", line 118, in wrapper
      result = f(self, *args, **kwargs)
    File "/usr/lib/python2.7/site-packages/designate/central/service.py", line 1138, in _create_recordset_in_storage
      self._is_valid_recordset_name(context, domain, recordset.name)
    File "/usr/lib/python2.7/site-packages/designate/central/service.py", line 341, in _is_valid_recordset_name
      raise ValueError('Please supply a FQDN')
  ValueError: Please supply a FQDN

  If such additional checks are everywhere, the incorrect regular
  expressions should be harmless, and the security flag can be removed.

  Downstream bug: https://bugzilla.redhat.com/show_bug.cgi?id=1235655

To manage notifications about this bug go to:
https://bugs.launchpad.net/designate/+bug/1471158/+subscriptions

More information about the Openstack-security mailing list