Bug#734329: denyhosts: regression in regex.py

Sun, 05 Jan 2014 21:36:30 -0800 

Control: found -1 2.6-7+deb6u2
Control: found -1 2.6-10+deb7u2

On Mon, Jan 06, 2014 at 11:00:45AM +1100, Vincent McIntyre wrote:
> I have 2.6-10 running on a few squeeze hosts here and applied the patch that
> should fix #692229. I think there is a problem with one aspect of that
> change -
> 
> - FAILED_ENTRY_REGEX = re.compile(r"""Failed (?P<method>.*) for 
> (?P<invalid>invalid user |illegal user )?(?P<user>.*?) .*from 
> (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
> + FAILED_ENTRY_REGEX = re.compile(r"""Failed (?P<method>\S*) for 
> (?P<invalid>invalid user |illegal user )?(?P<user>.*) from 
> (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""")
> 
> The issue is the $ after the IP address matching - this fails on my syslog
> files which have lines like:
> Jan  5 21:01:15 venice sshd[12491]: Failed password for root from 
> 122.252.245.89 port 57845 ssh2

Thanks for reporting this regression.

> To make the regex match again, just drop the $. (Tested with 'kodos').
> What I am unclear about is whether making this change will allow
> IP address injections again.  Can the wildcard for the <user> match
> be made non-greedy?

As soon as you have two .* patterns, injections are technically
possible. Dropping the $ accounts as one trailing .*. Making the user
match non-greedy reintroduces the issue. It must be greedy.

> Otherwise, the following regex may be ok:
> 
> Failed (?P<method>\S*) for (?P<invalid>invalid user |illegal user 
> )?(?P<user>.*) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})( 
> port \d+)?

The trailing ( port \d+)? is useless, because it is always fulfilled
with the empty string and any garbage beyond is matched by the lack of a
$ pattern. This is no improvement over just dropping the $.

> This issue is also present in 2.6-7+deb6u2 (I checked regex.py)
> and (I infer) 2.6-10+deb7u.

Marked in the bts.

A real fix seems more involved. Suggestions welcome.

Helmut


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to