Overview

File CVE-2019-20933.patch of Package influxdb

commit 34e54cae951a178117c2e3955e02fb9c17b1c7e5
Author: David Norton <dgnorton@gmail.com>
Date:   Tue Apr 2 11:26:57 2019 -0400

    fix(httpd): fail bearerauth if shared secret blank
    
    (cherry picked from commit 761b557315ff9c1642cf3b0e5797cd3d983a24c0)

diff --git a/services/httpd/handler.go b/services/httpd/handler.go
index 335acfb95c2e..ab6ef4918496 100644
--- a/services/httpd/handler.go
+++ b/services/httpd/handler.go
@@ -1052,6 +1052,11 @@ func authenticate(inner func(http.ResponseWriter, *http.Request, meta.User), h *
 					return
 				}
 			case BearerAuthentication:
+				if h.Config.SharedSecret == "" {
+					atomic.AddInt64(&h.stats.AuthenticationFailures, 1)
+					h.httpError(w, "bearer auth disabled", http.StatusUnauthorized)
+					return
+				}
 				keyLookupFn := func(token *jwt.Token) (interface{}, error) {
 					// Check for expected signing method.
 					if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
diff --git a/services/httpd/handler_test.go b/services/httpd/handler_test.go
index af411d422fc9..486258d7df75 100644
--- a/services/httpd/handler_test.go
+++ b/services/httpd/handler_test.go
@@ -217,6 +217,24 @@ func TestHandler_Query_Auth(t *testing.T) {
 		t.Fatalf("unexpected body: %s", body)
 	}
 
+	// Test that auth fails if shared secret is blank.
+	origSecret := h.Config.SharedSecret
+	h.Config.SharedSecret = ""
+	token, _ = MustJWTToken("user1", h.Config.SharedSecret, false)
+	signedToken, err = token.SignedString([]byte(h.Config.SharedSecret))
+	if err != nil {
+		t.Fatal(err)
+	}
+	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", signedToken))
+	w = httptest.NewRecorder()
+	h.ServeHTTP(w, req)
+	if w.Code != http.StatusUnauthorized {
+		t.Fatalf("unexpected status: %d: %s", w.Code, w.Body.String())
+	} else if body := strings.TrimSpace(w.Body.String()); body != `{"error":"bearer auth disabled"}` {
+		t.Fatalf("unexpected body: %s", body)
+	}
+	h.Config.SharedSecret = origSecret
+
 	// Test the handler with valid user and password in the url and invalid in
 	// basic auth (prioritize url).
 	w = httptest.NewRecorder()
openSUSE Build Service is sponsored by
Places