Package: nova / 2:14.0.0-4+deb9u1

CVE-2017-7214_do_not_include_context_to_exception_notification.patch Patch series | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
 
Description: CVE-2017-7214: do not include context to exception notification
 The wrap_exception decorator optionally emited a notification.
 Based on the code comments the original intention was not to include the
 context to that notification due to security reasons. However the
 implementation did included the context to the payload of the legacy
 notification.
 .
 Recently we saw circural reference errors during the payload serialization
 of this notification. Based on the logs the only complex data structure
 that could cause circural reference is the context. So this patch
 removes the context from the legacy exception notification.
 .
 The versioned exception notification is not affected as it does not
 contain the args of the decorated function.
Author: Balazs Gibizer <balazs.gibizer@ericsson.com>
Date: Fri, 17 Mar 2017 10:24:49 +0000 (+0100)
X-Git-Tag: 14.0.5~1
X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fnova.git;a=commitdiff_plain;h=d0ee248bab6727555561c15998c58a0f11a5351b
Origin: https://review.openstack.org/447072
Bug-Ubuntu: https://bugs.launchpad.net/nova/+bug/1673569
Bug-Debian: https://bugs.debian.org/858568
Change-Id: I1d217620e52d45595a3e0e49ed57b4ab33cd1688
Last-Update: 2017-04-02

diff --git a/nova/exception_wrapper.py b/nova/exception_wrapper.py
index 5b74c3b..5051b83 100644
--- a/nova/exception_wrapper.py
+++ b/nova/exception_wrapper.py
@@ -86,6 +86,9 @@ def _get_call_dict(function, self, context, *args, **kw):
     # self can't be serialized and shouldn't be in the
     # payload
     call_dict.pop('self', None)
+    # NOTE(gibi) remove context as well as it contains sensitive information
+    # and it can also contain circular references
+    call_dict.pop('context', None)
     return _cleanse_dict(call_dict)
 
 
diff --git a/nova/tests/unit/test_exception.py b/nova/tests/unit/test_exception.py
index a9bada1..55478a6 100644
--- a/nova/tests/unit/test_exception.py
+++ b/nova/tests/unit/test_exception.py
@@ -61,6 +61,7 @@ class WrapExceptionTestCase(test.NoDBTestCase):
         self.assertEqual(3, notification.payload['args']['extra'])
         for key in ['exception', 'args']:
             self.assertIn(key, notification.payload.keys())
+        self.assertNotIn('context', notification.payload['args'].keys())
 
         self.assertEqual(1, len(fake_notifier.VERSIONED_NOTIFICATIONS))
         notification = fake_notifier.VERSIONED_NOTIFICATIONS[0]