[
https://issues.apache.org/jira/browse/MESOS-5685?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Greg Mann updated MESOS-5685:
-----------------------------
Summary: The /files/download endpoint's authorization can be compromised
(was: The /files/download endpoint authorization can be compromised)
> The /files/download endpoint's authorization can be compromised
> ---------------------------------------------------------------
>
> Key: MESOS-5685
> URL: https://issues.apache.org/jira/browse/MESOS-5685
> Project: Mesos
> Issue Type: Bug
> Affects Versions: 0.28.2
> Reporter: Greg Mann
> Labels: mesosphere
>
> If a forward slash is appended to the path of a file a user wishes to
> download via {{/files/download}}, the authorization logic for that path will
> be bypassed and the file will be downloaded regardless of permissions. This
> is because we store the authorization callbacks for these paths in a map
> which is keyed by the path name, so a request to {{/master/log/}} fails to
> find the callback which is installed for {{/master/log}}. When the master
> fails to find the callback, it assumes authorization is not required for that
> path and authorizes the action.
> Consider the following excerpt:
> {code}
> gmann@gmac:~/src/mesos/build⚡ http GET
> http://127.0.0.1:5050/files/download\?path\=/master/log -a foo:bar
> HTTP/1.1 403 Forbidden
> Content-Length: 0
> Date: Wed, 22 Jun 2016 21:28:53 GMT
> gmann@gmac:~/src/mesos/build⚡ http GET
> http://127.0.0.1:5050/files/download\?path\=/master/log/ -a foo:bar
> HTTP/1.1 200 OK
> Content-Disposition: attachment;
> filename=mesos-master.gmac.gmann.log.INFO.20160622-142843.65615
> Content-Length: 14432
> Content-Type: application/octet-stream
> Date: Wed, 22 Jun 2016 21:28:56 GMT
> Log file created at: 2016/06/22 14:28:43
> Running on machine: gmac
> Log line format: [IWEF]mmdd hh:mm:ss.uuuuuu threadid file:line] msg
> I0622 14:28:43.476925 2080764672 logging.cpp:194] INFO level logging started!
> I0622 14:28:43.477522 2080764672 main.cpp:367] Using 'HierarchicalDRF'
> allocator
> I0622 14:28:43.480650 2080764672 leveldb.cpp:174] Opened db in 2961us
> I0622 14:28:43.481046 2080764672 leveldb.cpp:181] Compacted db in 372us
> I0622 14:28:43.481078 2080764672 leveldb.cpp:196] Created db iterator in 13us
> I0622 14:28:43.481096 2080764672 leveldb.cpp:202] Seeked to beginning of db
> in 9us
> I0622 14:28:43.481111 2080764672 leveldb.cpp:271] Iterated through 0 keys in
> the db in 8us
> I0622 14:28:43.481165 2080764672 replica.cpp:779] Replica recovered with log
> positions 0 -> 0 with 1 holes and 0 unlearned
> I0622 14:28:43.481967 219914240 recover.cpp:451] Starting replica recovery
> I0622 14:28:43.482193 219914240 recover.cpp:477] Replica is in EMPTY status
> I0622 14:28:43.482589 2080764672 main.cpp:488] Creating default 'local'
> authorizer
> I0622 14:28:43.482719 2080764672 main.cpp:545] Starting Mesos master
> I0622 14:28:43.483085 218841088 replica.cpp:673] Replica in EMPTY status
> received a broadcasted recover request from (4)@127.0.0.1:5050
> I0622 14:28:43.487284 218304512 recover.cpp:197] Received a recover response
> from a replica in EMPTY status
> I0622 14:28:43.487694 219914240 recover.cpp:568] Updating replica status to
> STARTING
> {code}
> We could consider disallowing paths which end in trailing slashes.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
