[openstack-dev] [neutron] the hostname regex pattern fix also changed behaviour :(

Angus Lees gus at inodes.org
Fri Nov 28 00:26:32 UTC 2014


Context: https://review.openstack.org/#/c/135616

As far as I can make out, the fix for CVE-2014-7821 removed a backslash
that effectively disables the negative look-ahead assertion that verifies
that hostname can't be all-digits. Worse, the new version now rejects
hostnames where a component starts with a digit.

This certainly addressed the immediate issue of "that regex was expensive",
but the change in behaviour looks like it was unintended.  Given that we
backported this DoS fix to released versions of neutron, what do we want to
do about it now?

In general this regex is crazy complex for what it verifies.  I can't see
any discussion of where it came from nor precisely what it was intended to
accept/reject when it was introduced in patch 16 of
https://review.openstack.org/#/c/14219.

If we're happy disabling the check for components being all-digits, then a
minimal change to the existing regex that could be backported might be
something like
  r'(?=^.{1,254}$)(^(?:[a-zA-Z0-9_](?:[a-zA-Z0-9_-]{,61}[a-zA-Z0-9])\.)*(?:[a-zA-Z]{2,})$)'

Alternatively (and clearly preferable for Kilo), Kevin has a replacement
underway that rewrites this entirely to conform to modern RFCs in
I003cf14d95070707e43e40d55da62e11a28dfa4e
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20141128/abab2133/attachment.html>


More information about the OpenStack-dev mailing list