Bug#773140: marked as done (unblock: rabbitmq-server/3.3.5-1.1)

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Bug#773140: marked as done (unblock: rabbitmq-server/3.3.5-1.1)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Wed, 17 Dec 2014 07:24:08 +0000
Message-id: <[🔎] handler.773140.D773140.14188009009498.ackdone@bugs.debian.org>
References: <f87fb0d2cdfac73725f908847e5c6323@mail.adsl.funky-badger.org> <[🔎] 20141214230723.27167.95723.reportbug@hpe-490t.ftbfs.org>

Your message dated Wed, 17 Dec 2014 07:21:30 +0000
with message-id <f87fb0d2cdfac73725f908847e5c6323@mail.adsl.funky-badger.org>
and subject line Re: Bug#773140: Uploaded to testing-proposed-updates
has caused the Debian Bug report #773140,
regarding unblock: rabbitmq-server/3.3.5-1.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
773140: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773140
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: rabbitmq-server/3.3.5-1.1
From: Matt Kraai <kraai@ftbfs.org>
Date: Sun, 14 Dec 2014 15:07:23 -0800
Message-id: <[🔎] 20141214230723.27167.95723.reportbug@hpe-490t.ftbfs.org>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Is it OK to uploade rabbitmq-server/3.3.5-1.1 to testing-proposed-updates?

773134 reports that it is insecure because it trusts the X-Forwarded-For HTTP
header.  The following patches were applied upstream to fix this:

 * http://hg.rabbitmq.com/rabbitmq-management/rev/c3c41177a11a
 * http://hg.rabbitmq.com/rabbitmq-management/rev/35e916df027d

rabbitmq-server/3.4.1-1 is already in unstable.

I've attached the patch that I'm planning to use.

unblock rabbitmq-server/3.3.5-1.1

-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/12 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

diff -u rabbitmq-server-3.3.5/debian/changelog rabbitmq-server-3.3.5/debian/changelog
--- rabbitmq-server-3.3.5/debian/changelog
+++ rabbitmq-server-3.3.5/debian/changelog
@@ -1,3 +1,10 @@
+rabbitmq-server (3.3.5-1.1) testing-proposed-updates; urgency=medium
+
+  * Non-maintainer upload.
+  * Do not trust X-Forwarded-For (Closes: #773134).
+
+ -- Matt Kraai <kraai@debian.org>  Sun, 14 Dec 2014 14:51:41 -0800
+
 rabbitmq-server (3.3.5-1) unstable; urgency=low
 
   * New upstream release:
only in patch2:
unchanged:
--- rabbitmq-server-3.3.5.orig/plugins-src/rabbitmq-management/src/rabbit_mgmt_util.erl
+++ rabbitmq-server-3.3.5/plugins-src/rabbitmq-management/src/rabbit_mgmt_util.erl
@@ -40,6 +40,9 @@
 -include("rabbit_mgmt.hrl").
 -include_lib("amqp_client/include/amqp_client.hrl").
 
+-include_lib("webmachine/include/wm_reqdata.hrl").
+-include_lib("webmachine/include/wm_reqstate.hrl").
+
 -define(FRAMING, rabbit_framing_amqp_0_9_1).
 
 %%--------------------------------------------------------------------
@@ -116,11 +119,7 @@
              end,
     case rabbit_access_control:check_user_pass_login(Username, Password) of
         {ok, User = #user{tags = Tags}} ->
-            IPStr = wrq:peer(ReqData),
-            %% inet_parse:address/1 is an undocumented function but
-            %% exists in old versions of Erlang. inet:parse_address/1
-            %% is a documented wrapper round it but introduced in R16B.
-            {ok, IP} = inet_parse:address(IPStr),
+            IP = peer(ReqData),
             case rabbit_access_control:check_user_loopback(Username, IP) of
                 ok ->
                     case is_mgmt_user(Tags) of
@@ -143,6 +142,17 @@
             not_authorised(<<"Login failed">>, ReqData, Context)
     end.
 
+%% We can't use wrq:peer/1 because that trusts X-Forwarded-For.
+peer(ReqData) ->
+    WMState = ReqData#wm_reqdata.wm_state,
+    {ok, {IP,_Port}} = peername(WMState#wm_reqstate.socket),
+    IP.
+
+%% Like the one in rabbit_net, but we and webmachine have a different
+%% way of wrapping
+peername(Sock) when is_port(Sock) -> inet:peername(Sock);
+peername({ssl, SSL})              -> ssl:peername(SSL).
+
 vhost(ReqData) ->
     case id(vhost, ReqData) of
         none  -> none;

--- End Message ---

--- Begin Message ---

To: Matt Kraai <kraai@ftbfs.org>, 773140-done@bugs.debian.org

Cc: 773134@bugs.debian.org

Subject: Re: Bug#773140: Uploaded to testing-proposed-updates

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Date: Wed, 17 Dec 2014 07:21:30 +0000

Message-id: <f87fb0d2cdfac73725f908847e5c6323@mail.adsl.funky-badger.org>

In-reply-to: <[🔎] 20141217061552.GL1028@ftbfs.org>

References: <[🔎] 20141217061552.GL1028@ftbfs.org>
On 2014-12-17 6:15, Matt Kraai wrote:
Control: tag 773140 - moreinfo

Hi,

I've uploaded rabbitmq-server/3.3.5-1.1 to testing-proposed-updates
using the patch sent earlier.
Unblocked, thanks.

Regards,

Adam
--- End Message ---

Reply to:

References:
- Bug#773140: unblock: rabbitmq-server/3.3.5-1.1
  - From: Matt Kraai <kraai@ftbfs.org>

Prev by Date: Processed: Uploaded to testing-proposed-updates
Next by Date: Processed: Unarchiving #768082 to document unblock for amanda/1:3.3.6-4
Previous by thread: Processed: Uploaded to testing-proposed-updates
Next by thread: Bug#773140: unblock: rabbitmq-server/3.3.5-1.1
Index(es):
- Date
- Thread