[
https://issues.apache.org/jira/browse/MESOS-5685?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15347980#comment-15347980
]
Adam B commented on MESOS-5685:
-------------------------------
commit 6852825da519024de4713b3571e65f1fd5af60ef
Author: Greg Mann <[email protected]>
Date: Fri Jun 24 00:21:16 2016 -0700
Fixed failed authorization of '/files/*' endpoints.
The `FilesProcess` stores an authorization callback
for every virtual path. If no callback is found when
authorizing a request, then it is assumed that path
is not authorizable, so the request is approved.
This led to a bug in which the callbacks for paths
with trailing slashes were not correctly identified,
leading to requests being incorrectly authorized.
This patch trims trailing slashes before comparing
the requested path with the authorized paths.
Review: https://reviews.apache.org/r/49131/
> The /files/download endpoint's authorization can be compromised
> ---------------------------------------------------------------
>
> Key: MESOS-5685
> URL: https://issues.apache.org/jira/browse/MESOS-5685
> Project: Mesos
> Issue Type: Bug
> Affects Versions: 0.28.2
> Reporter: Greg Mann
> Assignee: Greg Mann
> Priority: Blocker
> Labels: mesosphere
> Fix For: 1.0.0
>
>
> If a forward slash is appended to the path of a file a user wishes to
> download via {{/files/download}}, the authorization logic for that path will
> be bypassed and the file will be downloaded regardless of permissions. This
> is because we store the authorization callbacks for these paths in a map
> which is keyed by the path name, so a request to {{/master/log/}} fails to
> find the callback which is installed for {{/master/log}}. When the master
> fails to find the callback, it assumes authorization is not required for that
> path and authorizes the action.
> Consider the following excerpt:
> {code}
> gmann@gmac:~/src/mesos/build⚡ http GET
> http://127.0.0.1:5050/files/download\?path\=/master/log -a foo:bar
> HTTP/1.1 403 Forbidden
> Content-Length: 0
> Date: Wed, 22 Jun 2016 21:28:53 GMT
> gmann@gmac:~/src/mesos/build⚡ http GET
> http://127.0.0.1:5050/files/download\?path\=/master/log/ -a foo:bar
> HTTP/1.1 200 OK
> Content-Disposition: attachment;
> filename=mesos-master.gmac.gmann.log.INFO.20160622-142843.65615
> Content-Length: 14432
> Content-Type: application/octet-stream
> Date: Wed, 22 Jun 2016 21:28:56 GMT
> Log file created at: 2016/06/22 14:28:43
> Running on machine: gmac
> Log line format: [IWEF]mmdd hh:mm:ss.uuuuuu threadid file:line] msg
> I0622 14:28:43.476925 2080764672 logging.cpp:194] INFO level logging started!
> I0622 14:28:43.477522 2080764672 main.cpp:367] Using 'HierarchicalDRF'
> allocator
> I0622 14:28:43.480650 2080764672 leveldb.cpp:174] Opened db in 2961us
> I0622 14:28:43.481046 2080764672 leveldb.cpp:181] Compacted db in 372us
> I0622 14:28:43.481078 2080764672 leveldb.cpp:196] Created db iterator in 13us
> I0622 14:28:43.481096 2080764672 leveldb.cpp:202] Seeked to beginning of db
> in 9us
> I0622 14:28:43.481111 2080764672 leveldb.cpp:271] Iterated through 0 keys in
> the db in 8us
> I0622 14:28:43.481165 2080764672 replica.cpp:779] Replica recovered with log
> positions 0 -> 0 with 1 holes and 0 unlearned
> I0622 14:28:43.481967 219914240 recover.cpp:451] Starting replica recovery
> I0622 14:28:43.482193 219914240 recover.cpp:477] Replica is in EMPTY status
> I0622 14:28:43.482589 2080764672 main.cpp:488] Creating default 'local'
> authorizer
> I0622 14:28:43.482719 2080764672 main.cpp:545] Starting Mesos master
> I0622 14:28:43.483085 218841088 replica.cpp:673] Replica in EMPTY status
> received a broadcasted recover request from (4)@127.0.0.1:5050
> I0622 14:28:43.487284 218304512 recover.cpp:197] Received a recover response
> from a replica in EMPTY status
> I0622 14:28:43.487694 219914240 recover.cpp:568] Updating replica status to
> STARTING
> {code}
> We could consider disallowing paths which end in trailing slashes.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
