[rabbitmq-server/epel7] Fix insufficient 'X-Forwarded-For' header validation (RHBZ#1174872)
John Eckersberg
jeckersb at fedoraproject.org
Wed Dec 17 19:23:02 UTC 2014
commit 10126b9a5319eadc8dc3574e1df7fb2cb624eff7
Author: John Eckersberg <jeckersb at redhat.com>
Date: Wed Dec 17 14:22:42 2014 -0500
Fix insufficient 'X-Forwarded-For' header validation (RHBZ#1174872)
rabbitmq-server-RHBZ1174872-1-of-2.patch | 52 ++++++++++++++++++++++++++++++
rabbitmq-server-RHBZ1174872-2-of-2.patch | 22 ++++++++++++
rabbitmq-server.spec | 15 ++++++++-
3 files changed, 88 insertions(+), 1 deletions(-)
---
diff --git a/rabbitmq-server-RHBZ1174872-1-of-2.patch b/rabbitmq-server-RHBZ1174872-1-of-2.patch
new file mode 100644
index 0000000..57f8917
--- /dev/null
+++ b/rabbitmq-server-RHBZ1174872-1-of-2.patch
@@ -0,0 +1,52 @@
+
+# HG changeset patch
+# User Simon MacMullen <simon at rabbitmq.com>
+# Date 1413370639 -3600
+# Node ID c3c41177a11a120cda1e4b7b6594220b0d197f5b
+# Parent fc2d6d0a192b3182def9c014bc490ac2a343bfd4
+Don't use wrq:peer/1
+
+diff -r fc2d6d0a192b -r c3c41177a11a src/rabbit_mgmt_util.erl
+--- a/src/rabbit_mgmt_util.erl Thu Oct 02 17:48:31 2014 +0100
++++ b/src/rabbit_mgmt_util.erl Wed Oct 15 11:57:19 2014 +0100
+@@ -40,6 +40,9 @@
+ -include("rabbit_mgmt.hrl").
+ -include_lib("amqp_client/include/amqp_client.hrl").
+
++-include_lib("webmachine/include/wm_reqdata.hrl").
++-include_lib("webmachine/include/wm_reqstate.hrl").
++
+ -define(FRAMING, rabbit_framing_amqp_0_9_1).
+
+ %%--------------------------------------------------------------------
+@@ -116,11 +119,7 @@
+ end,
+ case rabbit_access_control:check_user_pass_login(Username, Password) of
+ {ok, User = #user{tags = Tags}} ->
+- IPStr = wrq:peer(ReqData),
+- %% inet_parse:address/1 is an undocumented function but
+- %% exists in old versions of Erlang. inet:parse_address/1
+- %% is a documented wrapper round it but introduced in R16B.
+- {ok, IP} = inet_parse:address(IPStr),
++ IP = peer(ReqData),
+ case rabbit_access_control:check_user_loopback(Username, IP) of
+ ok ->
+ case is_mgmt_user(Tags) of
+@@ -143,6 +142,16 @@
+ not_authorised(<<"Login failed">>, ReqData, Context)
+ end.
+
++%% We can't use wrq:peer/1 because that trusts X-Forwarded-For.
++peer(ReqData) ->
++ {ok, {IP,_Port}} = peername(ReqData#wm_reqdata.wm_state#wm_reqstate.socket),
++ IP.
++
++%% Like the one in rabbit_net, but we and webmachine have a different
++%% way of wrapping
++peername(Sock) when is_port(Sock) -> inet:peername(Sock);
++peername({ssl, SSL}) -> ssl:peername(SSL).
++
+ vhost(ReqData) ->
+ case id(vhost, ReqData) of
+ none -> none;
+
diff --git a/rabbitmq-server-RHBZ1174872-2-of-2.patch b/rabbitmq-server-RHBZ1174872-2-of-2.patch
new file mode 100644
index 0000000..ff6fcfd
--- /dev/null
+++ b/rabbitmq-server-RHBZ1174872-2-of-2.patch
@@ -0,0 +1,22 @@
+
+# HG changeset patch
+# User Simon MacMullen <simon at rabbitmq.com>
+# Date 1413371780 -3600
+# Node ID 35e916df027dd36c498e8814d39c3e2a44548c7b
+# Parent c3c41177a11a120cda1e4b7b6594220b0d197f5b
+Build on old Erlang
+
+diff -r c3c41177a11a -r 35e916df027d src/rabbit_mgmt_util.erl
+--- a/src/rabbit_mgmt_util.erl Wed Oct 15 11:57:19 2014 +0100
++++ b/src/rabbit_mgmt_util.erl Wed Oct 15 12:16:20 2014 +0100
+@@ -144,7 +144,8 @@
+
+ %% We can't use wrq:peer/1 because that trusts X-Forwarded-For.
+ peer(ReqData) ->
+- {ok, {IP,_Port}} = peername(ReqData#wm_reqdata.wm_state#wm_reqstate.socket),
++ WMState = ReqData#wm_reqdata.wm_state,
++ {ok, {IP,_Port}} = peername(WMState#wm_reqstate.socket),
+ IP.
+
+ %% Like the one in rabbit_net, but we and webmachine have a different
+
diff --git a/rabbitmq-server.spec b/rabbitmq-server.spec
index 9d697a4..228f2ea 100644
--- a/rabbitmq-server.spec
+++ b/rabbitmq-server.spec
@@ -3,7 +3,7 @@
Name: rabbitmq-server
Version: 3.3.5
-Release: 3%{?dist}
+Release: 4%{?dist}
License: MPLv1.1
Group: Development/Libraries
Source: http://www.rabbitmq.com/releases/rabbitmq-server/v%{version}/%{name}-%{version}.tar.gz
@@ -58,6 +58,11 @@ Patch1: rabbitmq-server-systemd-notify-support.patch
Patch2: rabbitmq-server-allow-guest-non-loopback.patch
+# Bug 1174872 - rabbitmq-server: insufficient 'X-Forwarded-For' header validation
+# https://bugzilla.redhat.com/show_bug.cgi?id=1174872
+Patch3: rabbitmq-server-RHBZ1174872-1-of-2.patch
+Patch4: rabbitmq-server-RHBZ1174872-2-of-2.patch
+
%description
RabbitMQ is an implementation of AMQP, the emerging standard for high
performance enterprise messaging. The RabbitMQ server is a robust and
@@ -79,6 +84,11 @@ scalable implementation of an AMQP broker.
%patch1 -p1
%patch2 -p1
+pushd plugins-src/rabbitmq-management
+%patch3 -p1
+%patch4 -p1
+popd
+
%build
cp %{S:2} %{_rabbit_wrapper}
cp %{S:4} %{_rabbit_server_ocf}
@@ -210,6 +220,9 @@ done
rm -rf %{buildroot}
%changelog
+* Wed Dec 17 2014 John Eckersberg <eck at redhat.com> - 3.3.5-4
+- Fix insufficient 'X-Forwarded-For' header validation (RHBZ#1174872)
+
* Tue Nov 18 2014 John Eckersberg <eck at redhat.com> - 3.3.5-3
- Add rabbitmq-plugins to default path (rhbz#1126680)
More information about the scm-commits
mailing list