[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#773140: unblock: rabbitmq-server/3.3.5-1.1

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Is it OK to uploade rabbitmq-server/3.3.5-1.1 to testing-proposed-updates?

773134 reports that it is insecure because it trusts the X-Forwarded-For HTTP
header.  The following patches were applied upstream to fix this:

 * http://hg.rabbitmq.com/rabbitmq-management/rev/c3c41177a11a
 * http://hg.rabbitmq.com/rabbitmq-management/rev/35e916df027d

rabbitmq-server/3.4.1-1 is already in unstable.

I've attached the patch that I'm planning to use.

unblock rabbitmq-server/3.3.5-1.1

-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/12 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

diff -u rabbitmq-server-3.3.5/debian/changelog rabbitmq-server-3.3.5/debian/changelog
--- rabbitmq-server-3.3.5/debian/changelog
+++ rabbitmq-server-3.3.5/debian/changelog
@@ -1,3 +1,10 @@
+rabbitmq-server (3.3.5-1.1) testing-proposed-updates; urgency=medium
+
+  * Non-maintainer upload.
+  * Do not trust X-Forwarded-For (Closes: #773134).
+
+ -- Matt Kraai <kraai@debian.org>  Sun, 14 Dec 2014 14:51:41 -0800
+
 rabbitmq-server (3.3.5-1) unstable; urgency=low
 
   * New upstream release:
only in patch2:
unchanged:
--- rabbitmq-server-3.3.5.orig/plugins-src/rabbitmq-management/src/rabbit_mgmt_util.erl
+++ rabbitmq-server-3.3.5/plugins-src/rabbitmq-management/src/rabbit_mgmt_util.erl
@@ -40,6 +40,9 @@
 -include("rabbit_mgmt.hrl").
 -include_lib("amqp_client/include/amqp_client.hrl").
 
+-include_lib("webmachine/include/wm_reqdata.hrl").
+-include_lib("webmachine/include/wm_reqstate.hrl").
+
 -define(FRAMING, rabbit_framing_amqp_0_9_1).
 
 %%--------------------------------------------------------------------
@@ -116,11 +119,7 @@
              end,
     case rabbit_access_control:check_user_pass_login(Username, Password) of
         {ok, User = #user{tags = Tags}} ->
-            IPStr = wrq:peer(ReqData),
-            %% inet_parse:address/1 is an undocumented function but
-            %% exists in old versions of Erlang. inet:parse_address/1
-            %% is a documented wrapper round it but introduced in R16B.
-            {ok, IP} = inet_parse:address(IPStr),
+            IP = peer(ReqData),
             case rabbit_access_control:check_user_loopback(Username, IP) of
                 ok ->
                     case is_mgmt_user(Tags) of
@@ -143,6 +142,17 @@
             not_authorised(<<"Login failed">>, ReqData, Context)
     end.
 
+%% We can't use wrq:peer/1 because that trusts X-Forwarded-For.
+peer(ReqData) ->
+    WMState = ReqData#wm_reqdata.wm_state,
+    {ok, {IP,_Port}} = peername(WMState#wm_reqstate.socket),
+    IP.
+
+%% Like the one in rabbit_net, but we and webmachine have a different
+%% way of wrapping
+peername(Sock) when is_port(Sock) -> inet:peername(Sock);
+peername({ssl, SSL})              -> ssl:peername(SSL).
+
 vhost(ReqData) ->
     case id(vhost, ReqData) of
         none  -> none;
Reply to: