Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
systemsmanagement:Ardana:8:CentOS
influxdb
CVE-2019-20933.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2019-20933.patch of Package influxdb
commit 44bcae27b88e787fcadf0a65eb3d551f77a5b192 Author: David Norton <dgnorton@gmail.com> Date: Tue Apr 2 11:26:57 2019 -0400 fix(httpd): fail bearerauth if shared secret blank (cherry picked from commit 761b557315ff9c1642cf3b0e5797cd3d983a24c0) (cherry picked from commit 34e54cae951a178117c2e3955e02fb9c17b1c7e5) diff --git a/services/httpd/handler.go b/services/httpd/handler.go index 335acfb95c2e..ab6ef4918496 100644 --- a/services/httpd/handler.go +++ b/services/httpd/handler.go @@ -1052,6 +1052,11 @@ func authenticate(inner func(http.ResponseWriter, *http.Request, meta.User), h * return } case BearerAuthentication: + if h.Config.SharedSecret == "" { + atomic.AddInt64(&h.stats.AuthenticationFailures, 1) + h.httpError(w, "bearer auth disabled", http.StatusUnauthorized) + return + } keyLookupFn := func(token *jwt.Token) (interface{}, error) { // Check for expected signing method. if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok { diff --git a/services/httpd/handler_test.go b/services/httpd/handler_test.go index af411d422fc9..486258d7df75 100644 --- a/services/httpd/handler_test.go +++ b/services/httpd/handler_test.go @@ -217,6 +217,24 @@ func TestHandler_Query_Auth(t *testing.T) { t.Fatalf("unexpected body: %s", body) } + // Test that auth fails if shared secret is blank. + origSecret := h.Config.SharedSecret + h.Config.SharedSecret = "" + token, _ = MustJWTToken("user1", h.Config.SharedSecret, false) + signedToken, err = token.SignedString([]byte(h.Config.SharedSecret)) + if err != nil { + t.Fatal(err) + } + req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", signedToken)) + w = httptest.NewRecorder() + h.ServeHTTP(w, req) + if w.Code != http.StatusUnauthorized { + t.Fatalf("unexpected status: %d: %s", w.Code, w.Body.String()) + } else if body := strings.TrimSpace(w.Body.String()); body != `{"error":"bearer auth disabled"}` { + t.Fatalf("unexpected body: %s", body) + } + h.Config.SharedSecret = origSecret + // Test the handler with valid user and password in the url and invalid in // basic auth (prioritize url). w = httptest.NewRecorder()
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor