salt/fixes-cve-2018-15750-cve-2018-15751.patch

From 9ec54e8c1394ab678c6129d98f07c6eafd446399 Mon Sep 17 00:00:00 2001
From: Erik Johnson <palehose@gmail.com>
Date: Fri, 24 Aug 2018 10:35:55 -0500
Subject: [PATCH] Fixes: CVE-2018-15750, CVE-2018-15751

Ensure that tokens are hex to avoid hanging/errors in cherrypy

Add empty token salt-api integration tests

Handle Auth exceptions in run_job

Update tornado test to correct authentication message
---
 salt/netapi/rest_cherrypy/app.py                  | 7 -------
 tests/integration/netapi/rest_tornado/test_app.py | 4 ++--
 2 files changed, 2 insertions(+), 9 deletions(-)

diff --git a/salt/netapi/rest_cherrypy/app.py b/salt/netapi/rest_cherrypy/app.py
index fa1b540e5f..f8b500482b 100644
--- a/salt/netapi/rest_cherrypy/app.py
+++ b/salt/netapi/rest_cherrypy/app.py
@@ -1176,13 +1176,6 @@ class LowDataAdapter(object):
                 except (TypeError, ValueError):
                     raise cherrypy.HTTPError(401, 'Invalid token')
 
-            if 'token' in chunk:
-                # Make sure that auth token is hex
-                try:
-                    int(chunk['token'], 16)
-                except (TypeError, ValueError):
-                    raise cherrypy.HTTPError(401, 'Invalid token')
-
             if client:
                 chunk['client'] = client
 
diff --git a/tests/integration/netapi/rest_tornado/test_app.py b/tests/integration/netapi/rest_tornado/test_app.py
index 10ec29f7fa..4102b5645a 100644
--- a/tests/integration/netapi/rest_tornado/test_app.py
+++ b/tests/integration/netapi/rest_tornado/test_app.py
@@ -282,8 +282,8 @@ class TestSaltAPIHandler(_SaltnadoIntegrationTestCase):
         self.assertIn('jid', ret[0])  # the first 2 are regular returns
         self.assertIn('jid', ret[1])
         self.assertIn('Failed to authenticate', ret[2])  # bad auth
-        self.assertEqual(ret[0]['minions'], sorted(['minion', 'sub_minion']))
-        self.assertEqual(ret[1]['minions'], sorted(['minion', 'sub_minion']))
+        self.assertEqual(ret[0]['minions'], sorted(['minion', 'sub_minion', 'localhost']))
+        self.assertEqual(ret[1]['minions'], sorted(['minion', 'sub_minion', 'localhost']))
 
     def test_simple_local_async_post_no_tgt(self):
         low = [{'client': 'local_async',
-- 
2.16.4
osc copypac from project:systemsmanagement:saltstack:testing package:salt revision:333 OBS-URL: https://build.opensuse.org/package/show/systemsmanagement:saltstack/salt?expand=0&rev=166 2020-04-07 14:14:01 +02:00			`From 9ec54e8c1394ab678c6129d98f07c6eafd446399 Mon Sep 17 00:00:00 2001`
osc copypac from project:systemsmanagement:saltstack:testing package:salt revision:253 OBS-URL: https://build.opensuse.org/package/show/systemsmanagement:saltstack/salt?expand=0&rev=131 2019-01-17 10:18:02 +01:00			`From: Erik Johnson <palehose@gmail.com>`
			`Date: Fri, 24 Aug 2018 10:35:55 -0500`
			`Subject: [PATCH] Fixes: CVE-2018-15750, CVE-2018-15751`

			`Ensure that tokens are hex to avoid hanging/errors in cherrypy`

			`Add empty token salt-api integration tests`

			`Handle Auth exceptions in run_job`

			`Update tornado test to correct authentication message`
			`---`
osc copypac from project:systemsmanagement:saltstack:testing package:salt revision:257 OBS-URL: https://build.opensuse.org/package/show/systemsmanagement:saltstack/salt?expand=0&rev=132 2019-04-12 11:57:21 +02:00			`salt/netapi/rest_cherrypy/app.py \| 7 -------`
			`tests/integration/netapi/rest_tornado/test_app.py \| 4 ++--`
			`2 files changed, 2 insertions(+), 9 deletions(-)`
osc copypac from project:systemsmanagement:saltstack:testing package:salt revision:253 OBS-URL: https://build.opensuse.org/package/show/systemsmanagement:saltstack/salt?expand=0&rev=131 2019-01-17 10:18:02 +01:00
			`diff --git a/salt/netapi/rest_cherrypy/app.py b/salt/netapi/rest_cherrypy/app.py`
osc copypac from project:systemsmanagement:saltstack:testing package:salt revision:333 OBS-URL: https://build.opensuse.org/package/show/systemsmanagement:saltstack/salt?expand=0&rev=166 2020-04-07 14:14:01 +02:00			`index fa1b540e5f..f8b500482b 100644`
osc copypac from project:systemsmanagement:saltstack:testing package:salt revision:253 OBS-URL: https://build.opensuse.org/package/show/systemsmanagement:saltstack/salt?expand=0&rev=131 2019-01-17 10:18:02 +01:00			`--- a/salt/netapi/rest_cherrypy/app.py`
			`+++ b/salt/netapi/rest_cherrypy/app.py`
osc copypac from project:systemsmanagement:saltstack:testing package:salt revision:333 OBS-URL: https://build.opensuse.org/package/show/systemsmanagement:saltstack/salt?expand=0&rev=166 2020-04-07 14:14:01 +02:00			`@@ -1176,13 +1176,6 @@ class LowDataAdapter(object):`
osc copypac from project:systemsmanagement:saltstack:testing package:salt revision:257 OBS-URL: https://build.opensuse.org/package/show/systemsmanagement:saltstack/salt?expand=0&rev=132 2019-04-12 11:57:21 +02:00			`except (TypeError, ValueError):`
			`raise cherrypy.HTTPError(401, 'Invalid token')`

			`- if 'token' in chunk:`
			`- # Make sure that auth token is hex`
			`- try:`
			`- int(chunk['token'], 16)`
			`- except (TypeError, ValueError):`
			`- raise cherrypy.HTTPError(401, 'Invalid token')`
			`-`
osc copypac from project:systemsmanagement:saltstack:testing package:salt revision:253 OBS-URL: https://build.opensuse.org/package/show/systemsmanagement:saltstack/salt?expand=0&rev=131 2019-01-17 10:18:02 +01:00			`if client:`
			`chunk['client'] = client`

			`diff --git a/tests/integration/netapi/rest_tornado/test_app.py b/tests/integration/netapi/rest_tornado/test_app.py`
osc copypac from project:systemsmanagement:saltstack:testing package:salt revision:333 OBS-URL: https://build.opensuse.org/package/show/systemsmanagement:saltstack/salt?expand=0&rev=166 2020-04-07 14:14:01 +02:00			`index 10ec29f7fa..4102b5645a 100644`
osc copypac from project:systemsmanagement:saltstack:testing package:salt revision:253 OBS-URL: https://build.opensuse.org/package/show/systemsmanagement:saltstack/salt?expand=0&rev=131 2019-01-17 10:18:02 +01:00			`--- a/tests/integration/netapi/rest_tornado/test_app.py`
			`+++ b/tests/integration/netapi/rest_tornado/test_app.py`
osc copypac from project:systemsmanagement:saltstack:testing package:salt revision:333 OBS-URL: https://build.opensuse.org/package/show/systemsmanagement:saltstack/salt?expand=0&rev=166 2020-04-07 14:14:01 +02:00			`@@ -282,8 +282,8 @@ class TestSaltAPIHandler(_SaltnadoIntegrationTestCase):`
osc copypac from project:systemsmanagement:saltstack:testing package:salt revision:253 OBS-URL: https://build.opensuse.org/package/show/systemsmanagement:saltstack/salt?expand=0&rev=131 2019-01-17 10:18:02 +01:00			`self.assertIn('jid', ret[0]) # the first 2 are regular returns`
			`self.assertIn('jid', ret[1])`
osc copypac from project:systemsmanagement:saltstack:testing package:salt revision:257 OBS-URL: https://build.opensuse.org/package/show/systemsmanagement:saltstack/salt?expand=0&rev=132 2019-04-12 11:57:21 +02:00			`self.assertIn('Failed to authenticate', ret[2]) # bad auth`
			`- self.assertEqual(ret[0]['minions'], sorted(['minion', 'sub_minion']))`
			`- self.assertEqual(ret[1]['minions'], sorted(['minion', 'sub_minion']))`
			`+ self.assertEqual(ret[0]['minions'], sorted(['minion', 'sub_minion', 'localhost']))`
			`+ self.assertEqual(ret[1]['minions'], sorted(['minion', 'sub_minion', 'localhost']))`

			`def test_simple_local_async_post_no_tgt(self):`
			`low = [{'client': 'local_async',`
osc copypac from project:systemsmanagement:saltstack:testing package:salt revision:253 OBS-URL: https://build.opensuse.org/package/show/systemsmanagement:saltstack/salt?expand=0&rev=131 2019-01-17 10:18:02 +01:00			`--`
osc copypac from project:systemsmanagement:saltstack:testing package:salt revision:308 OBS-URL: https://build.opensuse.org/package/show/systemsmanagement:saltstack/salt?expand=0&rev=156 2019-11-28 16:41:55 +01:00			`2.16.4`
osc copypac from project:systemsmanagement:saltstack:testing package:salt revision:253 OBS-URL: https://build.opensuse.org/package/show/systemsmanagement:saltstack/salt?expand=0&rev=131 2019-01-17 10:18:02 +01:00