[OSSA-2016-004] Swift proxy-server DoS through Large Object (CVE-2016-0737, CVE-2016-0738)

Moving to -updates milestones for 7.0/6.1/6.0/5.1.1 - waiting for the fix in 8.0/9.0.

This was merged to Mitaka - https://review.openstack.org/#/c/270233/

Maintenance fixes are available here https://review.fuel-infra.org/#/q/topic:bug/1542145

STEPS TO REPRODUCE. CLIENT-TO-PROXY issue (bug #1466549):
1. Deploy cloud with swift

2. Export auth variables for swift client:
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL="http://192.168.0.2:5000/v2.0/"

3. Upload a DLO to cloud:
    $ dd if=/dev/zero of=2x1G bs=1M count=2048
    $ swift post test
    $ swift upload test -S 1073741824 2x1G

4. Turn on connections monitoring on every controller (you should look for ESTABLISHED connections):
watch -n 1 "netstat -tapn | grep -E ':60[0-4]0 ' | grep -v TIME_WA"

5. Get swift Token and Account (excessive output is omitted):
#swift stat -v
StorageURL: http://172.16.59.36:8080/v1/AUTH_655bfcd63bd647cfb5850c995fe2f609
Auth Token: b543b376c97848548a26daa1aa3df57b
Account: AUTH_655bfcd63bd647cfb5850c995fe2f609

6. Get current Date from object's metadata (excessive output is omitted):
# curl -I "http://172.16.59.36:8080/v1/AUTH_655bfcd63bd647cfb5850c995fe2f609/test/2x1G" -H 'X-Auth-Token: b543b376c97848548a26daa1aa3df57b'

HTTP/1.1 200 OK
....
Date: Wed, 16 Mar 2016 14:38:48 GMT
Connection: close

7. Request uploaded object with if-modified-since condition (you should get a response with 304 Error):

curl -I "http://172.16.59.36:8080/v1/AUTH_655bfcd63bd647cfb5850c995fe2f609/test/2x1G" -H 'X-Auth-Token: b543b376c97848548a26daa1aa3df57b' -H 'if-modified-since: Wed, 16 Mar 2016 14:38:48 GMT'

HTTP/1.1 304 Not Modified
Content-Length: 0
Etag: "ef36dc89234e86b33d7c89f7a3975ac3"
X-Object-Meta-Mtime: 1458136136.170476
Accept-Ranges: bytes
Last-Modified: Wed, 16 Mar 2016 13:52:55 GMT
X-Object-Manifest: test_segments/2x1G/1458136136.170476/2147483648/1073741824/
X-Timestamp: 1458136374.94459
Content-Type: application/octet-stream
X-Trans-Id: txa3d14be6385543f7a69cb-0056e97041
Date: Wed, 16 Mar 2016 14:40:01 GMT
Connection: close

RESULT: you have established connection at your controllers which is not active (were used to provide 304 response)

STEPS TO REPRODUCE. CLIENT-TO-PROXY issue (bug #1493303):

1. Use environment from previous tests

2. Follow instructions from https://bugs.launchpad.net/cloud-archive/+bug/1493303/comments/10

Both security issues are not reproducible in MOS 6.1 and older versions.

Set bug's status to Invalid for MOS 6.1 and prior.

Verified on MOS 7.0 mu-3 updates.

Verified on MOS 8.0 mu-1 updates.

Verified on:
[root@nailgun ~]# shotgun2 short-report
cat /etc/fuel_build_id:
 465
cat /etc/fuel_build_number:
 465
cat /etc/fuel_release:
 9.0
cat /etc/fuel_openstack_version:
 mitaka-9.0
rpm -qa | egrep 'fuel|astute|network-checker|nailgun|packetary|shotgun':
 fuel-release-9.0.0-1.mos6349.noarch
 fuel-misc-9.0.0-1.mos8454.noarch
 python-packetary-9.0.0-1.mos140.noarch
 fuel-bootstrap-cli-9.0.0-1.mos285.noarch
 fuel-migrate-9.0.0-1.mos8454.noarch
 rubygem-astute-9.0.0-1.mos750.noarch
 fuel-mirror-9.0.0-1.mos140.noarch
 shotgun-9.0.0-1.mos90.noarch
 fuel-openstack-metadata-9.0.0-1.mos8742.noarch
 fuel-notify-9.0.0-1.mos8454.noarch
 nailgun-mcagents-9.0.0-1.mos750.noarch
 python-fuelclient-9.0.0-1.mos325.noarch
 fuel-9.0.0-1.mos6349.noarch
 fuel-utils-9.0.0-1.mos8454.noarch
 fuel-setup-9.0.0-1.mos6349.noarch
 fuel-provisioning-scripts-9.0.0-1.mos8742.noarch
 fuel-library9.0-9.0.0-1.mos8454.noarch
 network-checker-9.0.0-1.mos74.x86_64
 fuel-agent-9.0.0-1.mos285.noarch
 fuel-ui-9.0.0-1.mos2717.noarch
 fuel-ostf-9.0.0-1.mos935.noarch
 fuelmenu-9.0.0-1.mos274.noarch
 fuel-nailgun-9.0.0-1.mos8742.noarch

Change abandoned by Alexander Evseev <email address hidden> on branch: 9.0/mitaka
Review: https://review.fuel-infra.org/21118