[openstack-dev] [stable] Re: [neutron] the hostname regex pattern fix also changed behaviour :(

Ihar Hrachyshka ihrachys at redhat.com
Fri Nov 28 11:47:48 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 28/11/14 01:26, Angus Lees wrote:
> Context: https://review.openstack.org/#/c/135616
> 
> As far as I can make out, the fix for CVE-2014-7821 removed a backslash
> that effectively disables the negative look-ahead assertion that
> verifies that hostname can't be all-digits. Worse, the new version now
> rejects hostnames where a component starts with a digit.

Thanks for raising the issue!

> 
> This certainly addressed the immediate issue of "that regex was
> expensive", but the change in behaviour looks like it was unintended. 
> Given that we backported this DoS fix to released versions of neutron,
> what do we want to do about it now?

I don't think we've actually *released* any stable versions with the
patch included, yet (neither Icehouse nor Juno). (Adding [stable] tag to
subject to raise awareness).

I'm adding the mail thread to stable/juno etherpad to track the
backwards incompatibility (probably a blocker for the forthcoming
release): https://etherpad.openstack.org/p/StableJuno

> 
> In general this regex is crazy complex for what it verifies.  I can't
> see any discussion of where it came from nor precisely what it was
> intended to accept/reject when it was introduced in patch 16 of
> https://review.openstack.org/#/c/14219.
> 
> If we're happy disabling the check for components being all-digits, then
> a minimal change to the existing regex that could be backported might be
> something like
>   r'(?=^.{1,254}$)(^(?:[a-zA-Z0-9_](?:[a-zA-Z0-9_-]{,61}[a-zA-Z0-9])\.)*(?:[a-zA-Z]{2,})$)'
> 
> Alternatively (and clearly preferable for Kilo), Kevin has a replacement
> underway that rewrites this entirely to conform to modern RFCs in
> I003cf14d95070707e43e40d55da62e11a28dfa4e

With the change, will existing instances work as before?

/Ihar
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)

iQEcBAEBCgAGBQJUeGDkAAoJEC5aWaUY1u57kG0IAMz0jVCJ3D0gr6rydW/b3niY
tu7rQv/kKwfsmzCiKA8cpGoiGVm/23iwra5wU3oLSLQJDn+6XFBzseYy6F0Vy5+v
D6FUu3/AH5OOj3KeeC7TR500s+eR3kPNYqd/pzNYmpeW7b+yKJZUocgHjuYmiB0e
B4/JygQhox1zFdKOjsHF+x0PCeAc49VwQZkywN97TiFiwOqqr6iC3tmnOPnFbjNV
dwGqlPdiaS0GJ2STDnEJ8XABz8//Q7qwHBwQvM0VSIHkUmDI228crgWImAEClbyG
IIH67vjOJEFyBMRK0fMOqBT1CnUfS/OX7/OFwJVQh6fAyMKrMuXCixPUYQuSUBI=
=NYrv
-----END PGP SIGNATURE-----



More information about the OpenStack-dev mailing list