Use constant time comparison in tempURL
Use constant time comparison when evaluating tempURL to avoid timing attacks (CVE-2014-0006). This is the havana backport of the master patch. Fixes bug 1265665 Change-Id: I11e4ad83cc4077e52adf54a0bd0f9749294b2a48
This commit is contained in:
parent
2f3526c559
commit
b2c61375b3
|
@ -98,7 +98,7 @@ from urlparse import parse_qs
|
||||||
|
|
||||||
from swift.proxy.controllers.base import get_account_info
|
from swift.proxy.controllers.base import get_account_info
|
||||||
from swift.common.swob import HeaderKeyDict
|
from swift.common.swob import HeaderKeyDict
|
||||||
from swift.common.utils import split_path
|
from swift.common.utils import split_path, streq_const_time
|
||||||
|
|
||||||
|
|
||||||
#: Default headers to remove from incoming requests. Simply a whitespace
|
#: Default headers to remove from incoming requests. Simply a whitespace
|
||||||
|
@ -267,17 +267,20 @@ class TempURL(object):
|
||||||
if not keys:
|
if not keys:
|
||||||
return self._invalid(env, start_response)
|
return self._invalid(env, start_response)
|
||||||
if env['REQUEST_METHOD'] == 'HEAD':
|
if env['REQUEST_METHOD'] == 'HEAD':
|
||||||
hmac_vals = self._get_hmacs(env, temp_url_expires, keys,
|
hmac_vals = (self._get_hmacs(env, temp_url_expires, keys,
|
||||||
request_method='GET')
|
request_method='GET') +
|
||||||
if temp_url_sig not in hmac_vals:
|
self._get_hmacs(env, temp_url_expires, keys,
|
||||||
hmac_vals = self._get_hmacs(env, temp_url_expires, keys,
|
request_method='PUT'))
|
||||||
request_method='PUT')
|
|
||||||
if temp_url_sig not in hmac_vals:
|
|
||||||
return self._invalid(env, start_response)
|
|
||||||
else:
|
else:
|
||||||
hmac_vals = self._get_hmacs(env, temp_url_expires, keys)
|
hmac_vals = self._get_hmacs(env, temp_url_expires, keys)
|
||||||
if temp_url_sig not in hmac_vals:
|
|
||||||
return self._invalid(env, start_response)
|
# While it's true that any() will short-circuit, this doesn't affect
|
||||||
|
# the timing-attack resistance since the only way this will
|
||||||
|
# short-circuit is when a valid signature is passed in.
|
||||||
|
is_valid_hmac = any(streq_const_time(temp_url_sig, h)
|
||||||
|
for h in hmac_vals)
|
||||||
|
if not is_valid_hmac:
|
||||||
|
return self._invalid(env, start_response)
|
||||||
self._clean_incoming_headers(env)
|
self._clean_incoming_headers(env)
|
||||||
env['swift.authorize'] = lambda req: None
|
env['swift.authorize'] = lambda req: None
|
||||||
env['swift.authorize_override'] = True
|
env['swift.authorize_override'] = True
|
||||||
|
|
Loading…
Reference in New Issue