Package: release.debian.org Severity: normal User: [email protected] Usertags: unblock
Is it OK to uploade rabbitmq-server/3.3.5-1.1 to testing-proposed-updates? 773134 reports that it is insecure because it trusts the X-Forwarded-For HTTP header. The following patches were applied upstream to fix this: * http://hg.rabbitmq.com/rabbitmq-management/rev/c3c41177a11a * http://hg.rabbitmq.com/rabbitmq-management/rev/35e916df027d rabbitmq-server/3.4.1-1 is already in unstable. I've attached the patch that I'm planning to use. unblock rabbitmq-server/3.3.5-1.1 -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/12 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
diff -u rabbitmq-server-3.3.5/debian/changelog rabbitmq-server-3.3.5/debian/changelog --- rabbitmq-server-3.3.5/debian/changelog +++ rabbitmq-server-3.3.5/debian/changelog @@ -1,3 +1,10 @@ +rabbitmq-server (3.3.5-1.1) testing-proposed-updates; urgency=medium + + * Non-maintainer upload. + * Do not trust X-Forwarded-For (Closes: #773134). + + -- Matt Kraai <[email protected]> Sun, 14 Dec 2014 14:51:41 -0800 + rabbitmq-server (3.3.5-1) unstable; urgency=low * New upstream release: only in patch2: unchanged: --- rabbitmq-server-3.3.5.orig/plugins-src/rabbitmq-management/src/rabbit_mgmt_util.erl +++ rabbitmq-server-3.3.5/plugins-src/rabbitmq-management/src/rabbit_mgmt_util.erl @@ -40,6 +40,9 @@ -include("rabbit_mgmt.hrl"). -include_lib("amqp_client/include/amqp_client.hrl"). +-include_lib("webmachine/include/wm_reqdata.hrl"). +-include_lib("webmachine/include/wm_reqstate.hrl"). + -define(FRAMING, rabbit_framing_amqp_0_9_1). %%-------------------------------------------------------------------- @@ -116,11 +119,7 @@ end, case rabbit_access_control:check_user_pass_login(Username, Password) of {ok, User = #user{tags = Tags}} -> - IPStr = wrq:peer(ReqData), - %% inet_parse:address/1 is an undocumented function but - %% exists in old versions of Erlang. inet:parse_address/1 - %% is a documented wrapper round it but introduced in R16B. - {ok, IP} = inet_parse:address(IPStr), + IP = peer(ReqData), case rabbit_access_control:check_user_loopback(Username, IP) of ok -> case is_mgmt_user(Tags) of @@ -143,6 +142,17 @@ not_authorised(<<"Login failed">>, ReqData, Context) end. +%% We can't use wrq:peer/1 because that trusts X-Forwarded-For. +peer(ReqData) -> + WMState = ReqData#wm_reqdata.wm_state, + {ok, {IP,_Port}} = peername(WMState#wm_reqstate.socket), + IP. + +%% Like the one in rabbit_net, but we and webmachine have a different +%% way of wrapping +peername(Sock) when is_port(Sock) -> inet:peername(Sock); +peername({ssl, SSL}) -> ssl:peername(SSL). + vhost(ReqData) -> case id(vhost, ReqData) of none -> none;
