Your message dated Sun, 14 Dec 2014 15:10:08 -0800
with message-id <20141214231008.gg1...@ftbfs.org>
and subject line Fixed in 3.4.1-1
has caused the Debian Bug report #773134,
regarding rabbitmq_management incorrectly trusts 'X-Forwarded-For' header
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
773134: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773134
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: rabbitmq-server
Version: 3.3.5-1
Severity: serious
RabbitMQ 3.3.0 introduced a mechanism (the 'loopback_users'
configuration item) allowing access for some users to be restricted to
only connect via localhost. By default the "guest" user is restricted in
this way.
Unfortunately, the HTTP framework used by the management plugin trusts
the easily-forged 'X-Forwarded-For' header when determining the remote
address. It is therefore possible to subvert this access control
mechanism for the HTTP API. Attackers would still need to know or guess
the username and password.
Above text was taken from:
https://groups.google.com/forum/#!topic/rabbitmq-users/DMkypbSvIyM
--- End Message ---
--- Begin Message ---
Version: 3.4.1-1
Hi,
This bug is fixed in 3.4.1-1.
The upstream changes that fixes this issue are
* http://hg.rabbitmq.com/rabbitmq-management/rev/c3c41177a11a
* http://hg.rabbitmq.com/rabbitmq-management/rev/35e916df027d
Since 3.4.1-1 has already been uploaded to unstable, I've filed bug
773140 against release.debian.org asking if it's OK to upload
3.3.5-1.1 to testing-proposed-updates using the attached patch.
--
Matt
diff -u rabbitmq-server-3.3.5/debian/changelog
rabbitmq-server-3.3.5/debian/changelog
--- rabbitmq-server-3.3.5/debian/changelog
+++ rabbitmq-server-3.3.5/debian/changelog
@@ -1,3 +1,10 @@
+rabbitmq-server (3.3.5-1.1) testing-proposed-updates; urgency=medium
+
+ * Non-maintainer upload.
+ * Do not trust X-Forwarded-For (Closes: #773134).
+
+ -- Matt Kraai <kr...@debian.org> Sun, 14 Dec 2014 14:51:41 -0800
+
rabbitmq-server (3.3.5-1) unstable; urgency=low
* New upstream release:
only in patch2:
unchanged:
---
rabbitmq-server-3.3.5.orig/plugins-src/rabbitmq-management/src/rabbit_mgmt_util.erl
+++
rabbitmq-server-3.3.5/plugins-src/rabbitmq-management/src/rabbit_mgmt_util.erl
@@ -40,6 +40,9 @@
-include("rabbit_mgmt.hrl").
-include_lib("amqp_client/include/amqp_client.hrl").
+-include_lib("webmachine/include/wm_reqdata.hrl").
+-include_lib("webmachine/include/wm_reqstate.hrl").
+
-define(FRAMING, rabbit_framing_amqp_0_9_1).
%%--------------------------------------------------------------------
@@ -116,11 +119,7 @@
end,
case rabbit_access_control:check_user_pass_login(Username, Password) of
{ok, User = #user{tags = Tags}} ->
- IPStr = wrq:peer(ReqData),
- %% inet_parse:address/1 is an undocumented function but
- %% exists in old versions of Erlang. inet:parse_address/1
- %% is a documented wrapper round it but introduced in R16B.
- {ok, IP} = inet_parse:address(IPStr),
+ IP = peer(ReqData),
case rabbit_access_control:check_user_loopback(Username, IP) of
ok ->
case is_mgmt_user(Tags) of
@@ -143,6 +142,17 @@
not_authorised(<<"Login failed">>, ReqData, Context)
end.
+%% We can't use wrq:peer/1 because that trusts X-Forwarded-For.
+peer(ReqData) ->
+ WMState = ReqData#wm_reqdata.wm_state,
+ {ok, {IP,_Port}} = peername(WMState#wm_reqstate.socket),
+ IP.
+
+%% Like the one in rabbit_net, but we and webmachine have a different
+%% way of wrapping
+peername(Sock) when is_port(Sock) -> inet:peername(Sock);
+peername({ssl, SSL}) -> ssl:peername(SSL).
+
vhost(ReqData) ->
case id(vhost, ReqData) of
none -> none;
--- End Message ---
