From 8bb9a306e6290d1a7cf0347e8cf1f83635bb8506 Mon Sep 17 00:00:00 2001
From: Pete Zaitcev <zaitcev@kotori.zaitcev.us>
Date: Jun 27 2014 19:59:50 +0000
Subject: Fix CVE-2014-3497


See bz#1110809.

---

diff --git a/0001-remove-runtime-requirement-on-pbr.patch b/0001-remove-runtime-requirement-on-pbr.patch
index 79fad5e..f1099c2 100644
--- a/0001-remove-runtime-requirement-on-pbr.patch
+++ b/0001-remove-runtime-requirement-on-pbr.patch
@@ -4,8 +4,8 @@ Date: Wed, 9 Oct 2013 12:38:40 +0100
 Subject: [PATCH] remove runtime requirement on pbr
 
 ---
- swift/__init__.py |   18 ++----------------
- 1 files changed, 2 insertions(+), 16 deletions(-)
+ swift/__init__.py | 18 ++----------------
+ 1 file changed, 2 insertions(+), 16 deletions(-)
 
 diff --git a/swift/__init__.py b/swift/__init__.py
 index 9d0e889..d7a4012 100644
diff --git a/0002-Add-fixes-for-building-the-doc-package.patch b/0002-Add-fixes-for-building-the-doc-package.patch
index 1465cc7..a216e36 100644
--- a/0002-Add-fixes-for-building-the-doc-package.patch
+++ b/0002-Add-fixes-for-building-the-doc-package.patch
@@ -10,8 +10,8 @@ Don't access the net and always reference
 the swift module from the package we're building
 Based on Nova/Glance EPEL patch by Pádraig Brady <P@draigBrady.com>
 ---
- doc/source/conf.py |    6 +++---
- 1 files changed, 3 insertions(+), 3 deletions(-)
+ doc/source/conf.py | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
 
 diff --git a/doc/source/conf.py b/doc/source/conf.py
 index 9b1b86c..bf061ad 100644
diff --git a/0003-Set-permissions-on-generated-ring-files.patch b/0003-Set-permissions-on-generated-ring-files.patch
index 80e0084..5c67091 100644
--- a/0003-Set-permissions-on-generated-ring-files.patch
+++ b/0003-Set-permissions-on-generated-ring-files.patch
@@ -13,9 +13,9 @@ that the swift user can read the rings.
 Change-Id: Ia511931f471c5c9840012c3a75b89c1f35b1b245
 Closes-Bug: #1302700
 ---
- swift/common/ring/ring.py          |    1 +
- test/unit/common/ring/test_ring.py |   10 ++++++++++
- 2 files changed, 11 insertions(+), 0 deletions(-)
+ swift/common/ring/ring.py          |  1 +
+ test/unit/common/ring/test_ring.py | 10 ++++++++++
+ 2 files changed, 11 insertions(+)
 
 diff --git a/swift/common/ring/ring.py b/swift/common/ring/ring.py
 index 5b31528..a1f9024 100644
diff --git a/0004-properly-quote-www-authenticate-header-value.patch b/0004-properly-quote-www-authenticate-header-value.patch
new file mode 100644
index 0000000..33c8257
--- /dev/null
+++ b/0004-properly-quote-www-authenticate-header-value.patch
@@ -0,0 +1,95 @@
+From 3b945a2fcbcc8df63cb9e1987741fa12b8f54a8c Mon Sep 17 00:00:00 2001
+From: John Dickinson <me@not.mn>
+Date: Fri, 6 Jun 2014 11:46:41 -0700
+Subject: [PATCH] properly quote www-authenticate header value
+
+HTTP header values should be quoted. Since the WWW-Authenticate
+header value contains user-supplied strings, it's important to
+ensure it's properly quoted to ensure the integrity of the protocol.
+
+Previous to this patch, the URL was unquoted and then the unquoted
+value was returned in the header. This patch re-quotes the value
+when it is set on the response.
+
+This is filed as CVS-2014-3497
+
+Fixes bug 1327414
+
+Change-Id: If8bd8842f2ce821756e9b4461a18a8ac8d42fb8c
+(cherry picked from commit b223322ed1ef44f61490f820240aa01f1047ae2e)
+---
+ swift/common/swob.py          |  2 +-
+ test/functional/tests.py      | 13 +++++++++++++
+ test/unit/common/test_swob.py | 22 ++++++++++++++++++++++
+ 3 files changed, 36 insertions(+), 1 deletion(-)
+
+diff --git a/swift/common/swob.py b/swift/common/swob.py
+index 638086e..f4f38c7 100644
+--- a/swift/common/swob.py
++++ b/swift/common/swob.py
+@@ -1203,7 +1203,7 @@ class Response(object):
+                 realm = 'unknown'
+         except (AttributeError, ValueError):
+             realm = 'unknown'
+-        return 'Swift realm="%s"' % realm
++        return 'Swift realm="%s"' % urllib2.quote(realm)
+ 
+     @property
+     def is_success(self):
+diff --git a/test/functional/tests.py b/test/functional/tests.py
+index ad8c398..7983815 100644
+--- a/test/functional/tests.py
++++ b/test/functional/tests.py
+@@ -333,6 +333,19 @@ class TestAccount(Base):
+             self.assertEqual(sorted(containers, cmp=locale.strcoll),
+                              containers)
+ 
++    def testQuotedWWWAuthenticateHeader(self):
++        conn = Connection(config)
++        conn.authenticate()
++        inserted_html = '<b>Hello World'
++        hax = 'AUTH_haxx"\nContent-Length: %d\n\n%s' % (len(inserted_html),
++                                                        inserted_html)
++        quoted_hax = urllib.quote(hax)
++        conn.connection.request('GET', '/v1/' + quoted_hax, None, {})
++        resp = conn.connection.getresponse()
++        resp_headers = resp.getheaders()
++        expected = ('www-authenticate', 'Swift realm="%s"' % quoted_hax)
++        self.assert_(expected in resp_headers)
++
+ 
+ class TestAccountUTF8(Base2, TestAccount):
+     set_up = False
+diff --git a/test/unit/common/test_swob.py b/test/unit/common/test_swob.py
+index 7cc5439..b0452b9 100644
+--- a/test/unit/common/test_swob.py
++++ b/test/unit/common/test_swob.py
+@@ -601,6 +601,28 @@ class TestRequest(unittest.TestCase):
+         self.assertEquals('Me realm="whatever"',
+                           resp.headers['Www-Authenticate'])
+ 
++    def test_401_www_authenticate_is_quoted(self):
++
++        def test_app(environ, start_response):
++            start_response('401 Unauthorized', [])
++            return ['hi']
++
++        hacker = 'account-name\n\n<b>foo<br>'  # url injection test
++        quoted_hacker = quote(hacker)
++        req = swift.common.swob.Request.blank('/v1/' + hacker)
++        resp = req.get_response(test_app)
++        self.assertEquals(resp.status_int, 401)
++        self.assert_('Www-Authenticate' in resp.headers)
++        self.assertEquals('Swift realm="%s"' % quoted_hacker,
++                          resp.headers['Www-Authenticate'])
++
++        req = swift.common.swob.Request.blank('/v1/' + quoted_hacker)
++        resp = req.get_response(test_app)
++        self.assertEquals(resp.status_int, 401)
++        self.assert_('Www-Authenticate' in resp.headers)
++        self.assertEquals('Swift realm="%s"' % quoted_hacker,
++                          resp.headers['Www-Authenticate'])
++
+     def test_not_401(self):
+ 
+         # Other status codes should not have WWW-Authenticate in response
diff --git a/openstack-swift.spec b/openstack-swift.spec
index 6206e88..17a1dca 100644
--- a/openstack-swift.spec
+++ b/openstack-swift.spec
@@ -7,7 +7,7 @@
 
 Name:             openstack-swift
 Version:          1.13.1
-Release:          4%{?dist}
+Release:          5%{?dist}
 Summary:          OpenStack Object Storage (Swift)
 
 Group:            Development/Languages
@@ -56,6 +56,7 @@ Source7:          swift.conf
 Patch0001: 0001-remove-runtime-requirement-on-pbr.patch
 Patch0002: 0002-Add-fixes-for-building-the-doc-package.patch
 Patch0003: 0003-Set-permissions-on-generated-ring-files.patch
+Patch0004: 0004-properly-quote-www-authenticate-header-value.patch
 
 BuildArch:        noarch
 BuildRequires:    python-devel
@@ -165,6 +166,7 @@ This package contains documentation files for %{name}.
 %patch0001 -p1
 %patch0002 -p1
 %patch0003 -p1
+%patch0004 -p1
 
 #sed -i 's/%{version}.%{milestone}/%{version}/' PKG-INFO
 
@@ -467,6 +469,9 @@ exit 0
 %doc LICENSE doc/build/html
 
 %changelog
+* Fri Jun 27 2014 Pete Zaitcev <zaitcev@redhat.com> - 1.13.1-5
+- Fix CVE-2014-3497, unquoted realm in WWW-Authenticate
+
 * Tue Jun 24 2014 Pete Zaitcev <zaitcev@redhat.com> - 1.13.1-4
 - Move default ports from 600x to 620x (#1107907 and a dozen of others)