1349167 – [lazy sync] pulp streamer does not handle base64 URLs padded with '='

Bug 1349167 - [lazy sync] pulp streamer does not handle base64 URLs padded with '='

Summary: [lazy sync] pulp streamer does not handle base64 URLs padded with '='

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Pulp
Sub Component:
Version:	6.2.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high vote
Target Milestone:	Unspecified
Assignee:	satellite6-bugs
QA Contact:	Katello QA List
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-06-22 20:56 UTC by Chris Duryee
Modified:	2019-09-26 14:01 UTC (History)
CC List:	11 users (show)
Fixed In Version:	pulp-2.8.7.1-1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-10-26 12:26:24 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Priority	Status	Summary	Last Updated
Pulp Redmine	2031	Normal	CLOSED - CURRENTRELEASE	possible incorrect URL param parsing by streamer	2016-07-18 19:30:43 UTC
Red Hat Product Errata	RHBA-2016:2108	normal	SHIPPED_LIVE	Satellite 6.2.3 Async Bug Release	2016-10-26 16:21:52 UTC

Description Chris Duryee 2016-06-22 20:56:10 UTC

Description of problem: The Pulp streamer uses a base64 encoded "time-bombed" URL to serve content. If the base64 encoding ends up padding the key with more than one '=' sign, Pulp will 403 the request and raise a stack trace.

Its difficult to reproduce a signature with extra '=' signs without resorting to curl commands, but the curl command can reliably do it.

How reproducible: every time


Steps to Reproduce:
1. see https://pulp.plan.io/issues/2031#note-5


Actual results: If you curl a known working URL with a bad signature with extra ='s (you can copy/paste the one from the pulp issue), you'll get a 403 with stack trace


Expected results: the example curl command in the pulp issue should 403 without stack trace. In a "real" scenario with a correct signature, it would 200.


Additional info:

https://en.wikipedia.org/wiki/Base64#Padding has info on when a URL will be padded with extra ='s.

Comment 3 pulp-infra@redhat.com 2016-06-24 18:00:21 UTC

The Pulp upstream bug status is at POST. Updating the external tracker on this bug.

Comment 4 pulp-infra@redhat.com 2016-06-24 18:00:24 UTC

The Pulp upstream bug priority is at Normal. Updating the external tracker on this bug.

Comment 5 pulp-infra@redhat.com 2016-07-05 14:00:30 UTC

The Pulp upstream bug status is at MODIFIED. Updating the external tracker on this bug.

Comment 6 pulp-infra@redhat.com 2016-07-12 20:30:59 UTC

The Pulp upstream bug status is at ON_QA. Updating the external tracker on this bug.

Comment 7 pulp-infra@redhat.com 2016-07-18 19:30:44 UTC

The Pulp upstream bug status is at CLOSED - CURRENTRELEASE. Updating the external tracker on this bug.

Comment 8 Brad Buckingham 2016-07-25 13:19:58 UTC

Moving to POST as upstream fix is available.

Comment 9 jcallaha 2016-10-11 20:44:41 UTC

Verified in Satellite 6.2.3 Snap 2.

Followed the steps outlined in the pulp issue (linked). No traceback received.

[root@dell-pe-fc630-01 x86_64]# curl -v 'http://localhost/streamer/var/lib/pulp/content/distribution/ks-CentOS--7-x86_64/images/pxeboot/vmlinuz?policy=eyJleHRlbnNpb25zIjogeyJyZW1vdGVfaXAiOiAiMTkyLjE2OC4xNC4xMzEifSwgInJlc291cmNlIjogIi9zdHJlYW1lci92YXIvbGliL3B1bHAvY29udGVudC9kaXN0cmlidXRpb24va3MtQ2VudE9TLS03LXg4Nl82NC9pbWFnZXMvcHhlYm9vdC92bWxpbnV6IiwgImV4cGlyYXRpb24iOiAxNDY1NzgzNTkxfQ==;signature=ANlO8fxrFZ3mi9J8bf64XGBOBeM3Wal49VDtZPlJvwpa2X7ezF6tl8jfC7RKrjwWuWxAotT8UMEKn4foZqodZogao4HGaQkddkcFAPrZ53OjYijF_3P4h8fETImWC2cJkY4Cq0lbNi2tQ96dLe7nEEVioXwN1jYOsm42ZBbKbq3wapTU3bAtnSSzD3AjF9G4n9KRJ-YZLmuk1DNxsKI0sMdjiGKiWqz7jJXyji7pkMP_QoGAhhudQwsdmVzB9H3BEEqFoXYmM0Zl7kqB6sB8Msn-UMPoVyOd1GaJ7Wc-FEs9QQ_CnxgF8xEkaMadM2DbbYRB8R-CUb2NbvH2WRZIPQ=='
* About to connect() to localhost port 80 (#0)
*   Trying ::1... connected
* Connected to localhost (::1) port 80 (#0)
> GET /streamer/var/lib/pulp/content/distribution/ks-CentOS--7-x86_64/images/pxeboot/vmlinuz?policy=eyJleHRlbnNpb25zIjogeyJyZW1vdGVfaXAiOiAiMTkyLjE2OC4xNC4xMzEifSwgInJlc291cmNlIjogIi9zdHJlYW1lci92YXIvbGliL3B1bHAvY29udGVudC9kaXN0cmlidXRpb24va3MtQ2VudE9TLS03LXg4Nl82NC9pbWFnZXMvcHhlYm9vdC92bWxpbnV6IiwgImV4cGlyYXRpb24iOiAxNDY1NzgzNTkxfQ==;signature=ANlO8fxrFZ3mi9J8bf64XGBOBeM3Wal49VDtZPlJvwpa2X7ezF6tl8jfC7RKrjwWuWxAotT8UMEKn4foZqodZogao4HGaQkddkcFAPrZ53OjYijF_3P4h8fETImWC2cJkY4Cq0lbNi2tQ96dLe7nEEVioXwN1jYOsm42ZBbKbq3wapTU3bAtnSSzD3AjF9G4n9KRJ-YZLmuk1DNxsKI0sMdjiGKiWqz7jJXyji7pkMP_QoGAhhudQwsdmVzB9H3BEEqFoXYmM0Zl7kqB6sB8Msn-UMPoVyOd1GaJ7Wc-FEs9QQ_CnxgF8xEkaMadM2DbbYRB8R-CUb2NbvH2WRZIPQ== HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: localhost
> Accept: */*
> 
< HTTP/1.1 403 Forbidden
< Date: Tue, 11 Oct 2016 20:35:55 GMT
< Server: Apache/2.2.15 (Red Hat)
< Vary: Accept-Encoding
< Content-Length: 287
< Connection: close
< Content-Type: text/html; charset=iso-8859-1
< 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /streamer/var/lib/pulp/content/distribution/ks-CentOS--7-x86_64/images/pxeboot/vmlinuz
on this server.</p>
</body></html>
* Closing connection #0

Comment 11 errata-xmlrpc 2016-10-26 12:26:24 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:2108

Note You need to log in before you can comment on or make changes to this bug.