[openstack-dev] [stable] Re: [neutron] the hostname regex pattern fix also changed behaviour :(

Ihar Hrachyshka ihrachys at redhat.com
Fri Nov 28 11:47:48 UTC 2014

Hash: SHA512

On 28/11/14 01:26, Angus Lees wrote:
> Context: https://review.openstack.org/#/c/135616
> As far as I can make out, the fix for CVE-2014-7821 removed a backslash
> that effectively disables the negative look-ahead assertion that
> verifies that hostname can't be all-digits. Worse, the new version now
> rejects hostnames where a component starts with a digit.

Thanks for raising the issue!

> This certainly addressed the immediate issue of "that regex was
> expensive", but the change in behaviour looks like it was unintended. 
> Given that we backported this DoS fix to released versions of neutron,
> what do we want to do about it now?

I don't think we've actually *released* any stable versions with the
patch included, yet (neither Icehouse nor Juno). (Adding [stable] tag to
subject to raise awareness).

I'm adding the mail thread to stable/juno etherpad to track the
backwards incompatibility (probably a blocker for the forthcoming
release): https://etherpad.openstack.org/p/StableJuno

> In general this regex is crazy complex for what it verifies.  I can't
> see any discussion of where it came from nor precisely what it was
> intended to accept/reject when it was introduced in patch 16 of
> https://review.openstack.org/#/c/14219.
> If we're happy disabling the check for components being all-digits, then
> a minimal change to the existing regex that could be backported might be
> something like
>   r'(?=^.{1,254}$)(^(?:[a-zA-Z0-9_](?:[a-zA-Z0-9_-]{,61}[a-zA-Z0-9])\.)*(?:[a-zA-Z]{2,})$)'
> Alternatively (and clearly preferable for Kilo), Kevin has a replacement
> underway that rewrites this entirely to conform to modern RFCs in
> I003cf14d95070707e43e40d55da62e11a28dfa4e

With the change, will existing instances work as before?

Version: GnuPG/MacGPG2 v2.0.22 (Darwin)


More information about the OpenStack-dev mailing list