Red Hat Bugzilla – Bug 487758
origin lets you get arbitrary paths with a single valid header
Last modified: 2013-01-10 05:01:44 EST
origin examines 3 headers for a file request to do authentication. 2 are data, and the 3 is a hash of the data ones used for the auth.
Once authed, the code serves up the path requested in the url, which may not match the header.
* edit fake-akamai.cgi so that it requests a file that is different from the
one you pass on the command line. Do so by changing 'parsed' on line 111
(in conn.request() call) to some valid path for an rpm.
* run fake akamai from the command line, passing a different path as the
* your request should be denied, and origin should log the error.
VERIFIED in dev.
* fake-akamai broken to always point at "/rhn/public/NULL/a2ps/4.13b-57.1.el5/i386/a2ps-4.13b-57.1.el5.i386.rpm"
* renamed to broken-fake-akamai
* run as follows:
sudo ./broken-fake-akamai.cgi --cli --verbose https://origin.rhn.webdev.redhat.com /rhn/public/NULL/amanda-server/2.5.0p2-4/i386/amanda-server-2.5.0p2-4.i386.rpm
* origin retruned the following:
HTTP 401 Authorization Required
Traceback (most recent call last):
File "./broken-fake-akamai.cgi", line 220, in ?
File "./broken-fake-akamai.cgi", line 208, in run_from_cli
for header in fo.getheaders():
AttributeError: HTTPResponse instance has no attribute 'getheaders'
Moving to VERIFIED