Project

Profile

Help

Actions
Send by e-mail Copy link

Issue #7066

closed

Denial of Service in pulp-content when CONTENT_PATH_PREFIX is followed by a `/`

Added by SimonPe over 4 years ago. Updated over 4 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
SimonPe
Category:
-
Sprint/Milestone:
3.6.0
Start date:
Due date:
Estimated time:
Severity:
3. High
Version:
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Sprint 77
Quarter:

Description

when sending a request to ${CONTENT_PATH_PREFIX}/ (whatever CONTENT_PATH_PREFIX is set to, plus one extra slash) pulp-content enters an infinite loop. because:

>>> os.path.split('/path')
('/', 'path')
>>> os.path.split('/')
('/', '')

and hence the while loop in https://github.com/pulp/pulpcore/blob/master/pulpcore/content/handler.py#L152-L158 never reaches the exit condition of base being empty (it stays /)

Actions
Copy link
 #2

Updated by daviddavis over 4 years ago

I was able to reproduce this:

$ http :/pulp/content//

The content app hung for a while and then I saw this in the logs:

Jul 02 19:48:20 pulp3-source-fedora.crake.example.com gunicorn[28299]: [2020-07-02 19:48:20 +0000] [28299] [CRITICAL] WORKER TIMEOUT (pid:28312)
Jul 02 19:48:21 pulp3-source-fedora.crake.example.com gunicorn[28299]: [2020-07-02 19:48:21 +0000] [28337] [INFO] Booting worker with pid: 28337
Actions
Copy link
 #3

Updated by fao89 over 4 years ago

  • Triaged changed from No to Yes
  • Sprint set to Sprint 76
Actions
Copy link
 #4

Updated by daviddavis over 4 years ago

  • Status changed from NEW to POST
  • Assignee set to SimonPe
Actions
Copy link
 #5

Updated by rchan over 4 years ago

  • Sprint changed from Sprint 76 to Sprint 77

Added by SimonPe over 4 years ago

Revision 24498849 | View on GitHub

don't go into an infinite loop when CONTENT_PATH_PREFIX is followed by /

this would cause path to start with a / and because

>>> os.path.split('/path')
('/', 'path')
>>> os.path.split('/')
('/', '')

base would never end up as None but stay as / resulting in an infinite loop.

fixes #7066

Actions
Copy link
 #6

Updated by SimonPe over 4 years ago

  • Status changed from POST to MODIFIED

Added by SimonPe over 4 years ago

Revision 19d9e6ac | View on GitHub

don't go into an infinite loop when CONTENT_PATH_PREFIX is followed by /

this would cause path to start with a / and because

>>> os.path.split('/path')
('/', 'path')
>>> os.path.split('/')
('/', '')

base would never end up as None but stay as / resulting in an infinite loop.

fixes #7066

(cherry picked from commit 244988496900843a412e42ebff95468a4e682635)

Actions
Copy link
 #7

Updated by dkliban@redhat.com over 4 years ago

  • Sprint/Milestone set to 3.6.0
Actions
Copy link
 #8

Updated by pulpbot over 4 years ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE
Actions
Send by e-mail Copy link

Also available in: Atom PDF