-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 28/11/14 01:26, Angus Lees wrote: > Context: https://review.openstack.org/#/c/135616 > > As far as I can make out, the fix for CVE-2014-7821 removed a backslash > that effectively disables the negative look-ahead assertion that > verifies that hostname can't be all-digits. Worse, the new version now > rejects hostnames where a component starts with a digit.
Thanks for raising the issue! > > This certainly addressed the immediate issue of "that regex was > expensive", but the change in behaviour looks like it was unintended. > Given that we backported this DoS fix to released versions of neutron, > what do we want to do about it now? I don't think we've actually *released* any stable versions with the patch included, yet (neither Icehouse nor Juno). (Adding [stable] tag to subject to raise awareness). I'm adding the mail thread to stable/juno etherpad to track the backwards incompatibility (probably a blocker for the forthcoming release): https://etherpad.openstack.org/p/StableJuno > > In general this regex is crazy complex for what it verifies. I can't > see any discussion of where it came from nor precisely what it was > intended to accept/reject when it was introduced in patch 16 of > https://review.openstack.org/#/c/14219. > > If we're happy disabling the check for components being all-digits, then > a minimal change to the existing regex that could be backported might be > something like > > r'(?=^.{1,254}$)(^(?:[a-zA-Z0-9_](?:[a-zA-Z0-9_-]{,61}[a-zA-Z0-9])\.)*(?:[a-zA-Z]{2,})$)' > > Alternatively (and clearly preferable for Kilo), Kevin has a replacement > underway that rewrites this entirely to conform to modern RFCs in > I003cf14d95070707e43e40d55da62e11a28dfa4e With the change, will existing instances work as before? /Ihar -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) iQEcBAEBCgAGBQJUeGDkAAoJEC5aWaUY1u57kG0IAMz0jVCJ3D0gr6rydW/b3niY tu7rQv/kKwfsmzCiKA8cpGoiGVm/23iwra5wU3oLSLQJDn+6XFBzseYy6F0Vy5+v D6FUu3/AH5OOj3KeeC7TR500s+eR3kPNYqd/pzNYmpeW7b+yKJZUocgHjuYmiB0e B4/JygQhox1zFdKOjsHF+x0PCeAc49VwQZkywN97TiFiwOqqr6iC3tmnOPnFbjNV dwGqlPdiaS0GJ2STDnEJ8XABz8//Q7qwHBwQvM0VSIHkUmDI228crgWImAEClbyG IIH67vjOJEFyBMRK0fMOqBT1CnUfS/OX7/OFwJVQh6fAyMKrMuXCixPUYQuSUBI= =NYrv -----END PGP SIGNATURE----- _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev