Bug 1349167 – [lazy sync] pulp streamer does not handle base64 URLs padded with '='

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1349167 - [lazy sync] pulp streamer does not handle base64 URLs padded with '='

Summary:	[lazy sync] pulp streamer does not handle base64 URLs padded with '='

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Satellite 6
Classification:	Red Hat
Component:	Pulp (Show other bugs)
Sub Component:
Version:	6.2.0
Hardware:	Unspecified Unspecified

Priority	unspecified Severity high (vote)
Target Milestone:	6.2.3
Target Release:	Unused
Assigned To:	satellite6-bugs
QA Contact:	Katello QA List
Docs Contact:

URL:
Whiteboard:
Keywords:	Triaged

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2016-06-22 16:56 EDT by Chris Duryee
Modified:	2018-09-19 11:14 EDT (History)
CC List:	11 users (show)

See Also:
Fixed In Version:	pulp-2.8.7.1-1
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2016-10-26 08:26:24 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Pulp Redmine	2031	Normal	CLOSED - CURRENTRELEASE	possible incorrect URL param parsing by streamer	2016-07-18 15:30 EDT
Red Hat Product Errata	RHBA-2016:2108	normal	SHIPPED_LIVE	Satellite 6.2.3 Async Bug Release	2016-10-26 12:21:52 EDT

Groups: None (edit)

Description Chris Duryee 2016-06-22 16:56:10 EDT

Description of problem: The Pulp streamer uses a base64 encoded "time-bombed" URL to serve content. If the base64 encoding ends up padding the key with more than one '=' sign, Pulp will 403 the request and raise a stack trace.

Its difficult to reproduce a signature with extra '=' signs without resorting to curl commands, but the curl command can reliably do it.

How reproducible: every time


Steps to Reproduce:
1. see https://pulp.plan.io/issues/2031#note-5


Actual results: If you curl a known working URL with a bad signature with extra ='s (you can copy/paste the one from the pulp issue), you'll get a 403 with stack trace


Expected results: the example curl command in the pulp issue should 403 without stack trace. In a "real" scenario with a correct signature, it would 200.


Additional info:

https://en.wikipedia.org/wiki/Base64#Padding has info on when a URL will be padded with extra ='s.

Comment 3 pulp-infra@redhat.com 2016-06-24 14:00:21 EDT

The Pulp upstream bug status is at POST. Updating the external tracker on this bug.

Comment 4 pulp-infra@redhat.com 2016-06-24 14:00:24 EDT

The Pulp upstream bug priority is at Normal. Updating the external tracker on this bug.

Comment 5 pulp-infra@redhat.com 2016-07-05 10:00:30 EDT

The Pulp upstream bug status is at MODIFIED. Updating the external tracker on this bug.

Comment 6 pulp-infra@redhat.com 2016-07-12 16:30:59 EDT

The Pulp upstream bug status is at ON_QA. Updating the external tracker on this bug.

Comment 7 pulp-infra@redhat.com 2016-07-18 15:30:44 EDT

The Pulp upstream bug status is at CLOSED - CURRENTRELEASE. Updating the external tracker on this bug.

Comment 8 Brad Buckingham 2016-07-25 09:19:58 EDT

Moving to POST as upstream fix is available.

Comment 9 jcallaha 2016-10-11 16:44:41 EDT

Verified in Satellite 6.2.3 Snap 2.

Followed the steps outlined in the pulp issue (linked). No traceback received.

[root@dell-pe-fc630-01 x86_64]# curl -v 'http://localhost/streamer/var/lib/pulp/content/distribution/ks-CentOS--7-x86_64/images/pxeboot/vmlinuz?policy=eyJleHRlbnNpb25zIjogeyJyZW1vdGVfaXAiOiAiMTkyLjE2OC4xNC4xMzEifSwgInJlc291cmNlIjogIi9zdHJlYW1lci92YXIvbGliL3B1bHAvY29udGVudC9kaXN0cmlidXRpb24va3MtQ2VudE9TLS03LXg4Nl82NC9pbWFnZXMvcHhlYm9vdC92bWxpbnV6IiwgImV4cGlyYXRpb24iOiAxNDY1NzgzNTkxfQ==;signature=ANlO8fxrFZ3mi9J8bf64XGBOBeM3Wal49VDtZPlJvwpa2X7ezF6tl8jfC7RKrjwWuWxAotT8UMEKn4foZqodZogao4HGaQkddkcFAPrZ53OjYijF_3P4h8fETImWC2cJkY4Cq0lbNi2tQ96dLe7nEEVioXwN1jYOsm42ZBbKbq3wapTU3bAtnSSzD3AjF9G4n9KRJ-YZLmuk1DNxsKI0sMdjiGKiWqz7jJXyji7pkMP_QoGAhhudQwsdmVzB9H3BEEqFoXYmM0Zl7kqB6sB8Msn-UMPoVyOd1GaJ7Wc-FEs9QQ_CnxgF8xEkaMadM2DbbYRB8R-CUb2NbvH2WRZIPQ=='
* About to connect() to localhost port 80 (#0)
*   Trying ::1... connected
* Connected to localhost (::1) port 80 (#0)
> GET /streamer/var/lib/pulp/content/distribution/ks-CentOS--7-x86_64/images/pxeboot/vmlinuz?policy=eyJleHRlbnNpb25zIjogeyJyZW1vdGVfaXAiOiAiMTkyLjE2OC4xNC4xMzEifSwgInJlc291cmNlIjogIi9zdHJlYW1lci92YXIvbGliL3B1bHAvY29udGVudC9kaXN0cmlidXRpb24va3MtQ2VudE9TLS03LXg4Nl82NC9pbWFnZXMvcHhlYm9vdC92bWxpbnV6IiwgImV4cGlyYXRpb24iOiAxNDY1NzgzNTkxfQ==;signature=ANlO8fxrFZ3mi9J8bf64XGBOBeM3Wal49VDtZPlJvwpa2X7ezF6tl8jfC7RKrjwWuWxAotT8UMEKn4foZqodZogao4HGaQkddkcFAPrZ53OjYijF_3P4h8fETImWC2cJkY4Cq0lbNi2tQ96dLe7nEEVioXwN1jYOsm42ZBbKbq3wapTU3bAtnSSzD3AjF9G4n9KRJ-YZLmuk1DNxsKI0sMdjiGKiWqz7jJXyji7pkMP_QoGAhhudQwsdmVzB9H3BEEqFoXYmM0Zl7kqB6sB8Msn-UMPoVyOd1GaJ7Wc-FEs9QQ_CnxgF8xEkaMadM2DbbYRB8R-CUb2NbvH2WRZIPQ== HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: localhost
> Accept: */*
> 
< HTTP/1.1 403 Forbidden
< Date: Tue, 11 Oct 2016 20:35:55 GMT
< Server: Apache/2.2.15 (Red Hat)
< Vary: Accept-Encoding
< Content-Length: 287
< Connection: close
< Content-Type: text/html; charset=iso-8859-1
< 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /streamer/var/lib/pulp/content/distribution/ks-CentOS--7-x86_64/images/pxeboot/vmlinuz
on this server.</p>
</body></html>
* Closing connection #0

Comment 11 errata-xmlrpc 2016-10-26 08:26:24 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:2108

Note You need to log in before you can comment on or make changes to this bug.