Overview

File CVE-2019-20933.patch of Package influxdb

commit 7afe0d87bd8b88da95e95bad09ea719dcc6bd22d
Author: David Norton <dgnorton@gmail.com>
Date:   Tue Apr 2 11:26:57 2019 -0400

    fix(httpd): fail bearerauth if shared secret blank
    
    (cherry picked from commit 761b557315ff9c1642cf3b0e5797cd3d983a24c0)
    (cherry picked from commit 34e54cae951a178117c2e3955e02fb9c17b1c7e5)
    (cherry picked from commit 44bcae27b88e787fcadf0a65eb3d551f77a5b192)

diff --git a/services/httpd/handler.go b/services/httpd/handler.go
index bf4c7a2f3832..ebe845f377e4 100644
--- a/services/httpd/handler.go
+++ b/services/httpd/handler.go
@@ -883,6 +883,11 @@ func authenticate(inner func(http.ResponseWriter, *http.Request, *meta.UserInfo)
 					return
 				}
 			case BearerAuthentication:
+				if h.Config.SharedSecret == "" {
+					atomic.AddInt64(&h.stats.AuthenticationFailures, 1)
+					h.httpError(w, "bearer auth disabled", http.StatusUnauthorized)
+					return
+				}
 				keyLookupFn := func(token *jwt.Token) (interface{}, error) {
 					// Check for expected signing method.
 					if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
diff --git a/services/httpd/handler_test.go b/services/httpd/handler_test.go
index fe13ba3cf9d7..5e68746abb7a 100644
--- a/services/httpd/handler_test.go
+++ b/services/httpd/handler_test.go
@@ -212,6 +212,24 @@ func TestHandler_Query_Auth(t *testing.T) {
 	} else if body := strings.TrimSpace(w.Body.String()); body != `{"error":"token expiration required"}` {
 		t.Fatalf("unexpected body: %s", body)
 	}
+
+	// Test that auth fails if shared secret is blank.
+	origSecret := h.Config.SharedSecret
+	h.Config.SharedSecret = ""
+	token, _ = MustJWTToken("user1", h.Config.SharedSecret, false)
+	signedToken, err = token.SignedString([]byte(h.Config.SharedSecret))
+	if err != nil {
+		t.Fatal(err)
+	}
+	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", signedToken))
+	w = httptest.NewRecorder()
+	h.ServeHTTP(w, req)
+	if w.Code != http.StatusUnauthorized {
+		t.Fatalf("unexpected status: %d: %s", w.Code, w.Body.String())
+	} else if body := strings.TrimSpace(w.Body.String()); body != `{"error":"bearer auth disabled"}` {
+		t.Fatalf("unexpected body: %s", body)
+	}
+	h.Config.SharedSecret = origSecret
 }
 
 // Ensure the handler returns results from a query (including nil results).
openSUSE Build Service is sponsored by
Places