packages/thrift
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2018-11798 and CVE-2018-1320

Browse Source
This commit is contained in:
wang_yue111 2020-11-05 17:33:26 +08:00
parent 4c45a3b02e
commit fc36fc9927
3 changed files with 102 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
CVE-2018-11798.patch Normal file
View File

@ -0,0 +1,63 @@
From 54356a41474cccb0e2e2a7fc4b646812acadb7ec Mon Sep 17 00:00:00 2001
From: jfarrell <jfarrell@apache.org>
Date: Thu, 4 Oct 2018 23:00:28 -0400
Subject: [PATCH] Thrift-4647: Node.js Filesever webroot fixed path
Updates the node.js fileserver to have a fixed based webroot which can
not be escaped by end users.
---
lib/js/test/server_http.js | 2 +-
lib/js/test/server_https.js | 2 +-
lib/nodejs/lib/thrift/web_server.js | 10 +++++++++-
3 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/lib/js/test/server_http.js b/lib/js/test/server_http.js
index e195e80..c516409 100644
--- a/lib/js/test/server_http.js
+++ b/lib/js/test/server_http.js
@@ -36,7 +36,7 @@ var ThriftTestSvcOpt = {
};
var ThriftWebServerOptions = {
- files: ".",
+ files: __dirname,
services: {
"/service": ThriftTestSvcOpt
}
diff --git a/lib/js/test/server_https.js b/lib/js/test/server_https.js
index af1745b..9499b09 100644
--- a/lib/js/test/server_https.js
+++ b/lib/js/test/server_https.js
@@ -40,7 +40,7 @@ var ThriftTestSvcOpt = {
};
var ThriftWebServerOptions = {
- files: ".",
+ files: __dirname,
tls: {
key: fs.readFileSync("../../../test/keys/server.key"),
cert: fs.readFileSync("../../../test/keys/server.crt")
diff --git a/lib/nodejs/lib/thrift/web_server.js b/lib/nodejs/lib/thrift/web_server.js
index 37159ea..47e8a9f 100644
--- a/lib/nodejs/lib/thrift/web_server.js
+++ b/lib/nodejs/lib/thrift/web_server.js
@@ -414,7 +414,15 @@ exports.createWebServer = function(options) {
//Locate the file requested and send it
var uri = url.parse(request.url).pathname;
- var filename = path.join(baseDir, uri);
+ var filename = path.resolve(path.join(baseDir, uri));
+
+ //Ensure the basedir path is not able to be escaped
+ if (filename.indexOf(baseDir) != 0) {
+ response.writeHead(400, "Invalid request path", {});
+ response.end();
+ return;
+ }
+
fs.exists(filename, function(exists) {
if(!exists) {
response.writeHead(404);
--
2.23.0

32
CVE-2018-1320.patch Normal file
View File

@ -0,0 +1,32 @@
From d973409661f820d80d72c0034d06a12348c8705e Mon Sep 17 00:00:00 2001
From: "James E. King III" <jking@apache.org>
Date: Mon, 5 Mar 2018 11:34:21 -0500
Subject: [PATCH] THRIFT-4506: fix use of assert for correctness in Java SASL
negotiation Client: java
---
lib/java/src/org/apache/thrift/transport/TSaslTransport.java | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/lib/java/src/org/apache/thrift/transport/TSaslTransport.java b/lib/java/src/org/apache/thrift/transport/TSaslTransport.java
index a94d9a7760..bbd3f9a34a 100644
--- a/lib/java/src/org/apache/thrift/transport/TSaslTransport.java
+++ b/lib/java/src/org/apache/thrift/transport/TSaslTransport.java
@@ -287,7 +287,7 @@ public void open() throws TTransportException {
if (message.status == NegotiationStatus.COMPLETE &&
getRole() == SaslRole.CLIENT) {
LOGGER.debug("{}: All done!", getRole());
- break;
+ continue;
}
sendSaslMessage(sasl.isComplete() ? NegotiationStatus.COMPLETE : NegotiationStatus.OK,
@@ -295,8 +295,6 @@ public void open() throws TTransportException {
}
LOGGER.debug("{}: Main negotiation loop complete", getRole());
- assert sasl.isComplete();
-
// If we're the client, and we're complete, but the server isn't
// complete yet, we need to wait for its response. This will occur
// with ANONYMOUS auth, for example, where we send an initial response

8
thrift.spec
View File

@ -30,7 +30,7 @@
%global golang_configure --without-go %global golang_configure --without-go
Name: thrift Name: thrift
Version: 0.10.0 Version: 0.10.0
Release: 1 Release: 2
Summary: Software framework for cross-language services development Summary: Software framework for cross-language services development
License: ASL 2.0 and BSD and zlib License: ASL 2.0 and BSD and zlib
URL: https://thrift.apache.org/ URL: https://thrift.apache.org/
@ -44,6 +44,9 @@ Patch2: configure-java-prefix.patch
Patch3: fix-ppc64le-builds.patch Patch3: fix-ppc64le-builds.patch
Patch4: THRIFT-4177.patch Patch4: THRIFT-4177.patch
Patch5: python3.patch Patch5: python3.patch
Patch6: CVE-2018-11798.patch
Patch7: CVE-2018-1320.patch
BuildRequires: ant >= 1.7 autoconf automake bison boost-devel flex flex-devel gcc-c++ BuildRequires: ant >= 1.7 autoconf automake bison boost-devel flex flex-devel gcc-c++
BuildRequires: glib2-devel libevent-devel libstdc++-devel libtool openssl-devel qt-devel BuildRequires: glib2-devel libevent-devel libstdc++-devel libtool openssl-devel qt-devel
BuildRequires: texlive zlib-devel BuildRequires: texlive zlib-devel
@ -361,5 +364,8 @@ find %{buildroot} -name \*.py -exec grep -q /usr/bin/env {} \; -print | xargs -r
%doc LICENSE NOTICE %doc LICENSE NOTICE
%changelog %changelog
* Thu Nov 05 2020 wangyue <wangyue92@huawei.com> - 0.10.0-2
- Fix CVE-2018-11798 and CVE-2018-1320.
* Tue Aug 18 2020 yaokai <yaokai13@huawei.com> - 0.10.0-1 * Tue Aug 18 2020 yaokai <yaokai13@huawei.com> - 0.10.0-1
- package init - package init