Red Hat Bugzilla – Bug 487758
origin lets you get arbitrary paths with a single valid header
Last modified: 2013-01-10 05:01:44 EST
origin examines 3 headers for a file request to do authentication. 2 are data, and the 3 is a hash of the data ones used for the auth. Once authed, the code serves up the path requested in the url, which may not match the header.
To test: * edit fake-akamai.cgi so that it requests a file that is different from the one you pass on the command line. Do so by changing 'parsed[2]' on line 111 (in conn.request() call) to some valid path for an rpm. * run fake akamai from the command line, passing a different path as the argument * your request should be denied, and origin should log the error.
VERIFIED in dev. * fake-akamai broken to always point at "/rhn/public/NULL/a2ps/4.13b-57.1.el5/i386/a2ps-4.13b-57.1.el5.i386.rpm" * renamed to broken-fake-akamai * run as follows: sudo ./broken-fake-akamai.cgi --cli --verbose https://origin.rhn.webdev.redhat.com /rhn/public/NULL/amanda-server/2.5.0p2-4/i386/amanda-server-2.5.0p2-4.i386.rpm * origin retruned the following: HTTP 401 Authorization Required Headers: Traceback (most recent call last): File "./broken-fake-akamai.cgi", line 220, in ? run_from_cli() File "./broken-fake-akamai.cgi", line 208, in run_from_cli for header in fo.getheaders(): AttributeError: HTTPResponse instance has no attribute 'getheaders' Moving to VERIFIED