!36 Fix CVE-2020-10775

From: @huan-yangqqq 
Reviewed-by: @jxy_git 
Signed-off-by: @jxy_git

CVE-2020-10775.patch

@@ -0,0 +1,185 @@
+diff -Naru a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/servlet/SsoPostLoginServlet.java b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/servlet/SsoPostLoginServlet.java
+--- a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/servlet/SsoPostLoginServlet.java	2021-07-20 03:39:24.000000000 +0800
++++ b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/servlet/SsoPostLoginServlet.java	2022-06-06 14:16:06.807214000 +0800
+@@ -8,6 +8,7 @@
+ 
+ import javax.naming.InitialContext;
+ import javax.naming.NamingException;
++import javax.servlet.ServletException;
+ import javax.servlet.http.HttpServlet;
+ import javax.servlet.http.HttpServletRequest;
+ import javax.servlet.http.HttpServletResponse;
+@@ -41,7 +42,7 @@
+     }
+ 
+     @Override
+-    public void init() {
++    public void init()  throws ServletException {
+         String strVal = getServletConfig().getInitParameter("login-as-admin");
+         if (strVal == null) {
+             throw new RuntimeException("No login-as-admin init parameter specified for SsoPostLoginServlet.");
+@@ -61,9 +62,8 @@
+     @Override
+     protected void service(HttpServletRequest request, HttpServletResponse response) throws IOException {
+         log.debug("Entered SsoPostLoginServlet");
+-        String username;
++        String username  = null;
+         String profile = null;
+-        String authzName;
+         InitialContext ctx = null;
+         try {
+             String error_description = request.getParameter("error_description");
+@@ -90,12 +90,12 @@
+             Map<String, Object> payload = (Map<String, Object>) jsonResponse.get("ovirt");
+ 
+             username = (String) jsonResponse.get("user_id");
++            profile = "";
+             int index = username.lastIndexOf("@");
+             if (index != -1) {
+                 profile = username.substring(index + 1);
+                 username = username.substring(0, index);
+             }
+-            authzName = (String) jsonResponse.get("user_authz");
+ 
+             try {
+                 ctx = new InitialContext();
+@@ -120,14 +120,12 @@
+                                 "Unable to login user %s@%s with profile [%s]" +
+                                         " because the maximum number of allowed sessions %s is exceeded",
+                                 username,
+-                                authzName,
+                                 profile,
+                                 maxUserSessions));
+                     }
+                     throw new RuntimeException(String.format(
+                             "The user %s@%s with profile [%s] is not authorized to perform login",
+                             username,
+-                            authzName,
+                             profile));
+                 } else {
+                     HttpSession httpSession = request.getSession(true);
+@@ -143,9 +141,7 @@
+             } catch (RuntimeException ex) {
+                 throw ex;
+             } catch (Exception ex) {
+-                throw new RuntimeException(
+-                        String.format("User login failure: %s@%s with profile [%s]", username, authzName, profile),
+-                        ex);
++                throw new RuntimeException(String.format("User login failure: %s", username), ex);
+             } finally {
+                 try {
+                     if (ctx != null) {
+diff -Naru a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/SsoUtils.java b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/SsoUtils.java
+--- a/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/SsoUtils.java	2021-07-20 03:39:24.000000000 +0800
++++ b/backend/manager/modules/aaa/src/main/java/org/ovirt/engine/core/aaa/SsoUtils.java	2022-06-06 14:19:02.265717000 +0800
+@@ -33,7 +33,7 @@
+     public static String createUserSession(HttpServletRequest req,
+             Map<String, Object> jsonResponse,
+             boolean loginAsAdmin) throws Exception {
+-        String engineSessionId;
++        String engineSessionId = null;
+         if (!FiltersHelper.isStatusOk(jsonResponse)) {
+             throw new RuntimeException((String) jsonResponse.get("MESSAGE"));
+         }
+@@ -46,7 +46,6 @@
+             profile = username.substring(index + 1);
+             username = username.substring(0, index);
+         }
+-        String authzName = (String) jsonResponse.get("user_authz");
+         try {
+             ctx = new InitialContext();
+             ActionReturnValue queryRetVal = FiltersHelper.getBackend(ctx).runAction(ActionType.CreateUserSession,
+@@ -70,14 +69,12 @@
+                             "Unable to login user %s@%s with profile [%s] " +
+                                     "because the maximum number of allowed sessions %s is exceeded",
+                             username,
+-                            authzName,
+                             profile,
+                             EngineLocalConfig.getInstance().getInteger("ENGINE_MAX_USER_SESSIONS")));
+                 }
+                 throw new RuntimeException(String.format(
+                         "The user %s@%s with profile [%s] is not authorized to perform login",
+                         username,
+-                        authzName,
+                         profile));
+             }
+             engineSessionId = queryRetVal.getActionReturnValue();
+@@ -90,8 +87,8 @@
+                         true);
+             }
+         } catch (Exception ex) {
+-            log.error("User '{}@{}' with profile [{}] login failed: {}", username, authzName, profile, ex.getMessage());
+-            log.debug("User '{}@{}' with profile [{}] login failed", username, authzName, profile, ex);
++            log.error("User '{}@{}' login failed: {}", username, profile, ex.getMessage());
++            log.debug("User '{}@{}' login failed", username, profile, ex);
+             throw ex;
+         } finally {
+             try {
+@@ -139,7 +136,6 @@
+         if (StringUtils.isNotBlank(alternateFqdnString)) {
+             Arrays.stream(alternateFqdnString.trim().split("\\s *"))
+                     .filter(StringUtils::isNotBlank)
+-                    .map(String::toLowerCase)
+                     .forEach(allowedDomains::add);
+         }
+ 
+@@ -148,7 +144,7 @@
+ 
+     private static String parseHostFromUrl(String url, String urlPropertyName) {
+         try {
+-            return new URI(url).getHost().toLowerCase();
++            return new URI(url).getHost();
+         } catch (URISyntaxException e) {
+             throw new IllegalStateException(urlPropertyName + " not a valid URI: " + url);
+         }
+diff -Naru a/backend/manager/modules/aaa/src/test/java/org/ovirt/engine/core/aaa/SsoUtilsTest.java b/backend/manager/modules/aaa/src/test/java/org/ovirt/engine/core/aaa/SsoUtilsTest.java
+--- a/backend/manager/modules/aaa/src/test/java/org/ovirt/engine/core/aaa/SsoUtilsTest.java	2021-07-20 03:39:24.000000000 +0800
++++ b/backend/manager/modules/aaa/src/test/java/org/ovirt/engine/core/aaa/SsoUtilsTest.java	2022-06-06 14:20:07.028614000 +0800
+@@ -38,23 +38,6 @@
+     }
+ 
+     @Test
+-    public void shouldMatchAppUrlDomainOnAlternateSSOEngineUrlRegardlessUpperCase() {
+-        // given
+-        EngineLocalConfig.getInstance(new HashMap<>() {
+-            {
+-                put("SSO_ENGINE_URL", "https://engine.example.com:8221/ovirt-engine");
+-                put("SSO_ALTERNATE_ENGINE_FQDNS", "engine1.example.com ALTERNATE-engine.example.com");
+-            }
+-        });
+-
+-        // when
+-        boolean valid = SsoUtils.isDomainValid("https://alternate-engine.EXAMPLE.com:20001/somerest/api_v9");
+-
+-        // then
+-        Assertions.assertTrue(valid);
+-    }
+-
+-    @Test
+     public void shouldAllowBlankAppUrl() {
+         // given
+         EngineLocalConfig.getInstance(new HashMap<>() {
+@@ -103,23 +86,6 @@
+ 
+         // then
+         Assertions.assertTrue(valid);
+-    }
+-
+-    @Test
+-    public void shouldMatchAppUrlDomainOnSSOEngineUrlRegardlessUpperCase() {
+-        // given
+-        EngineLocalConfig.getInstance(new HashMap<>() {
+-            {
+-                put("SSO_ENGINE_URL", "https://engine.EXAMPLE.com:30003/ovirt-engine");
+-                put("SSO_ALTERNATE_ENGINE_FQDNS", "alternate-engine.example.com");
+-            }
+-        });
+-
+-        // when
+-        boolean valid = SsoUtils.isDomainValid("https://ENGINE.example.com:20001/somerest/api_v9");
+-
+-        // then
+-        Assertions.assertTrue(valid);
+     }
+ 
+     @Test

ovirt-engine.spec

@@ -161,7 +161,7 @@ getent passwd %1 >/dev/null || useradd -r -u %2 -g %3 -c %5 -s /sbin/nologin -d
 
 Name:		ovirt-engine
 Version:	4.4.7.7
-Release:	3
+Release:	4
 Summary:	Management server for Open Virtualization
 Group:		%{ovirt_product_group}
 License:	Apache 2.0
@@ -174,6 +174,7 @@ Source2:        xalan-2.7.1.jbossorg-2.jar
 # sed -i "s/$version/5.10.3/g" libsass-maven-plugin-0.2.8-libsass_3.4.4.pom
 Source3:        libsass-maven-plugin-0.2.8-libsass_3.4.4.pom
 Patch1:         0001-add-dependent-package-to-lib.patch
+Patch2:         CVE-2020-10775.patch
 BuildArch:	noarch
 
 BuildRequires:	assertj-core >= 2.2.0
@@ -617,6 +618,7 @@ Setup imageio service.
 %prep
 %setup -c -q
 %patch1 -p1
+%patch2 -p1
 mvn install:install-file -DgroupId=io.reactive.rxjava2 -DartifactId=rxjava -Dversion=2.2.4 -Dpackaging=jar -Dfile=%{SOURCE1}
 mvn install:install-file -DgroupId=xalan -DartifactId=xalan -Dversion=2.7.1.jbossorg-2 -Dpackaging=jar -Dfile=%{SOURCE2}
 mkdir -p ~/.m2/repository/com/github/warmuuh/libsass-maven-plugin/0.2.8-libsass_3.4.4
@@ -1253,6 +1255,9 @@ fi
 %{engine_data}/setup/bin/ovirt-engine-health
 
 %changelog
+* Fri May 27 2022 yanghuan <huan.yang@epro.com.cn> - 4.4.7.7-4
+- Fix CVE-2020-10775
+
 * Wed Sep 15 2021 Ge Wang <wangge20@huawei.com> - 4.4.7.7-3
 - Fix aarch64 setup error