From b70b15b4f896770a085d72382bd702c0524254a4 Mon Sep 17 00:00:00 2001 From: "Michael Mair-Keimberger (asterix)" Date: Tue, 7 Feb 2017 17:43:13 +0100 Subject: sys-cluster/heat: remove unused patch Closes: https://github.com/gentoo/gentoo/pull/3870 --- sys-cluster/heat/files/CVE-2016-9185.patch | 53 ------------------------------ 1 file changed, 53 deletions(-) delete mode 100644 sys-cluster/heat/files/CVE-2016-9185.patch diff --git a/sys-cluster/heat/files/CVE-2016-9185.patch b/sys-cluster/heat/files/CVE-2016-9185.patch deleted file mode 100644 index 7b6bd86b818a..000000000000 --- a/sys-cluster/heat/files/CVE-2016-9185.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 02dfb1a64f8a545a6dfed15245ac54c8ea835b81 Mon Sep 17 00:00:00 2001 -From: Daniel Gonzalez -Date: Mon, 17 Oct 2016 10:22:42 +0200 -Subject: Prevent template validate from scanning ports - -The template validation method in the heat API allows to specify the -template to validate using a URL with the 'template_url' parameter. - -By entering invalid http URLs, like 'http://localhost:22' it is -possible to scan ports by evaluating the error message of the request. - -For example, the request - -curl -H "Content-Type: application/json" -H "X-Auth-Token: " \ --X POST -d '{"template_url": "http://localhost:22"}' \ -http://127.0.0.1:8004/v1//validate - -causes the following error message to be returned to the user: - -"Could not retrieve template: Failed to retrieve template: -('Connection aborted.', -BadStatusLine('SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1\\r\\n',))" - -This could be misused by tenants to gain knowledge about the internal -network the heat API runs in. - -To prevent this information leak, this patch alters the error message -to not include such details when the url scheme is not 'file'. - -SecurityImpact - -Closes-Bug: #1606500 - -Change-Id: Id1f86f41c1e6c028d889eca7ccbb9cde67631950 -(cherry picked from commit eab9a33ce760c55695a5beb2e541487588b08c98) ---- - heat/common/urlfetch.py | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/heat/common/urlfetch.py b/heat/common/urlfetch.py -index 7efd968..8a7deae 100644 ---- a/heat/common/urlfetch.py -+++ b/heat/common/urlfetch.py -@@ -75,4 +75,5 @@ def get(url, allowed_schemes=('http', 'https')): - return result - - except exceptions.RequestException as ex: -- raise URLFetchError(_('Failed to retrieve template: %s') % ex) -+ LOG.info(_LI('Failed to retrieve template: %s') % ex) -+ raise URLFetchError(_('Failed to retrieve template from %s') % url) --- -cgit v0.12 - -- cgit v1.2.3-65-gdbad