Public bug reported: Security folks found some corner cases in the neutron API where the response contains a traceback, for example:
$ curl --request-target foo -k http://127.0.0.1:9696 Traceback (most recent call last): File "/usr/local/lib/python3.8/dist-packages/eventlet/wsgi.py", line 563, in handle_one_response result = self.application(self.environ, start_response) File "/usr/local/lib/python3.8/dist-packages/paste/urlmap.py", line 208, in __call__ path_info = self.normalize_url(path_info, False)[1] File "/usr/local/lib/python3.8/dist-packages/paste/urlmap.py", line 130, in normalize_url assert (not url or url.startswith('/') AssertionError: URL fragments must start with / or http:// (you gave 'foo') As a developer I don't mind such tracebacks, but I see their point that this may give away unwanted information to an attacker. On the other hand I would not consider this in itself a vulnerability. Pushing a trivial fix in a minute. ** Affects: neutron Importance: Low Assignee: Bence Romsics (bence-romsics) Status: In Progress ** Tags: api -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1951429 Title: Neutron API responses should not contain tracebacks Status in neutron: In Progress Bug description: Security folks found some corner cases in the neutron API where the response contains a traceback, for example: $ curl --request-target foo -k http://127.0.0.1:9696 Traceback (most recent call last): File "/usr/local/lib/python3.8/dist-packages/eventlet/wsgi.py", line 563, in handle_one_response result = self.application(self.environ, start_response) File "/usr/local/lib/python3.8/dist-packages/paste/urlmap.py", line 208, in __call__ path_info = self.normalize_url(path_info, False)[1] File "/usr/local/lib/python3.8/dist-packages/paste/urlmap.py", line 130, in normalize_url assert (not url or url.startswith('/') AssertionError: URL fragments must start with / or http:// (you gave 'foo') As a developer I don't mind such tracebacks, but I see their point that this may give away unwanted information to an attacker. On the other hand I would not consider this in itself a vulnerability. Pushing a trivial fix in a minute. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1951429/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
