File CVE-2019-20933.patch of Package influxdb
commit 34e54cae951a178117c2e3955e02fb9c17b1c7e5
Author: David Norton <dgnorton@gmail.com>
Date: Tue Apr 2 11:26:57 2019 -0400
fix(httpd): fail bearerauth if shared secret blank
(cherry picked from commit 761b557315ff9c1642cf3b0e5797cd3d983a24c0)
diff --git a/services/httpd/handler.go b/services/httpd/handler.go
index 335acfb95c2e..ab6ef4918496 100644
--- a/services/httpd/handler.go
+++ b/services/httpd/handler.go
@@ -1052,6 +1052,11 @@ func authenticate(inner func(http.ResponseWriter, *http.Request, meta.User), h *
return
}
case BearerAuthentication:
+ if h.Config.SharedSecret == "" {
+ atomic.AddInt64(&h.stats.AuthenticationFailures, 1)
+ h.httpError(w, "bearer auth disabled", http.StatusUnauthorized)
+ return
+ }
keyLookupFn := func(token *jwt.Token) (interface{}, error) {
// Check for expected signing method.
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
diff --git a/services/httpd/handler_test.go b/services/httpd/handler_test.go
index af411d422fc9..486258d7df75 100644
--- a/services/httpd/handler_test.go
+++ b/services/httpd/handler_test.go
@@ -217,6 +217,24 @@ func TestHandler_Query_Auth(t *testing.T) {
t.Fatalf("unexpected body: %s", body)
}
+ // Test that auth fails if shared secret is blank.
+ origSecret := h.Config.SharedSecret
+ h.Config.SharedSecret = ""
+ token, _ = MustJWTToken("user1", h.Config.SharedSecret, false)
+ signedToken, err = token.SignedString([]byte(h.Config.SharedSecret))
+ if err != nil {
+ t.Fatal(err)
+ }
+ req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", signedToken))
+ w = httptest.NewRecorder()
+ h.ServeHTTP(w, req)
+ if w.Code != http.StatusUnauthorized {
+ t.Fatalf("unexpected status: %d: %s", w.Code, w.Body.String())
+ } else if body := strings.TrimSpace(w.Body.String()); body != `{"error":"bearer auth disabled"}` {
+ t.Fatalf("unexpected body: %s", body)
+ }
+ h.Config.SharedSecret = origSecret
+
// Test the handler with valid user and password in the url and invalid in
// basic auth (prioritize url).
w = httptest.NewRecorder()