Bug 487758 - origin lets you get arbitrary paths with a single valid header
origin lets you get arbitrary paths with a single valid header
Product: Red Hat Network
Classification: Red Hat
Component: RHN/Backend (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Bryan Kearney
Red Hat Network Quality Assurance
Depends On:
Blocks: 486586
  Show dependency treegraph
Reported: 2009-02-27 14:07 EST by James Bowes
Modified: 2013-01-10 05:01 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-03-16 08:52:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description James Bowes 2009-02-27 14:07:45 EST
origin examines 3 headers for a file request to do authentication. 2 are data, and the 3 is a hash of the data ones used for the auth.

Once authed, the code serves up the path requested in the url, which may not match the header.
Comment 1 James Bowes 2009-03-06 11:36:19 EST
To test:
  * edit fake-akamai.cgi so that it requests a file that is different from the  
    one you pass on the command line. Do so by changing 'parsed[2]' on line 111 
    (in conn.request() call) to some valid path for an rpm.
  * run fake akamai from the command line, passing a different path as the 
  * your request should be denied, and origin should log the error.
Comment 2 Grant Gainey 2009-03-06 14:01:54 EST
VERIFIED in dev.

 * fake-akamai broken to always point at "/rhn/public/NULL/a2ps/4.13b-57.1.el5/i386/a2ps-4.13b-57.1.el5.i386.rpm"
 * renamed to broken-fake-akamai
 * run as follows:

  sudo ./broken-fake-akamai.cgi --cli --verbose https://origin.rhn.webdev.redhat.com /rhn/public/NULL/amanda-server/2.5.0p2-4/i386/amanda-server-2.5.0p2-4.i386.rpm

 * origin retruned the following:

HTTP 401 Authorization Required
Traceback (most recent call last):
  File "./broken-fake-akamai.cgi", line 220, in ?
  File "./broken-fake-akamai.cgi", line 208, in run_from_cli
    for header in fo.getheaders():
AttributeError: HTTPResponse instance has no attribute 'getheaders'

Moving to VERIFIED

Note You need to log in before you can comment on or make changes to this bug.