New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTP Security fixes #6103
HTTP Security fixes #6103
Conversation
This means we are not allowing unauthenticated requests anymore
doc/12-icinga2-api.md
Outdated
| templates/<type> | /v1/templates | Yes | ||
| types | /v1/types | Yes | ||
| variables | /v1/variables | Yes | ||
| Permissions | URL Endpoint | Supports Filters | Max Body Size in MB |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Spelling, either all use "in" or standard English grammar "Max body size in MB". In that case "Support Filters" would need to be changed too.
lib/base/tlsstream.cpp
Outdated
| @@ -27,6 +27,9 @@ | |||
| # include <poll.h> | |||
| #endif /* _WIN32 */ | |||
|
|
|||
| #define TLS_TIMEOUT_SECONDS 10 | |||
| #define TLS_TIMEOUT_STEP_SECONDS 1 | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unused, remove.
| @@ -34,3 +35,31 @@ ApiUser::Ptr ApiUser::GetByClientCN(const String& cn) | |||
|
|
|||
| return nullptr; | |||
| } | |||
|
|
|||
| ApiUser::Ptr ApiUser::GetByAuthHeader(const String& auth_header) | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will be fun to merge with the changes to out password system
lib/remote/httprequest.hpp
Outdated
| @@ -62,7 +64,8 @@ struct HttpRequest | |||
|
|
|||
| HttpRequest(Stream::Ptr stream); | |||
|
|
|||
| bool Parse(StreamReadContext& src, bool may_wait); | |||
| bool ParseHeader(StreamReadContext& src, bool may_wait); | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rename to "ParseHeaders"
lib/remote/httpserverconnection.hpp
Outdated
| @@ -21,6 +21,7 @@ | |||
| #define HTTPSERVERCONNECTION_H | |||
|
|
|||
| #include "remote/httprequest.hpp" | |||
| #include "remote/httpresponse.hpp" | |||
| #include "remote/apiuser.hpp" | |||
| #include "base/tlsstream.hpp" | |||
| #include "base/timer.hpp" | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This include does not seem to be required here
|
Before finishing this up I'd like to hear @dnsmichi and @gunnarbeutner take on the new limits to HTTP body sizes. Here is the table from the docs for easier viewing:
|
|
Mh are these body sizes for requests or responses, or for both? |
|
Requests, responses are unlimited. |
|
This small detail should be added to the docs then. The values look good, there's chances to go even lower than these are now. |
cab1a13
to
85f45d9
Compare
| { | ||
| static const size_t defaultContentLengthLimit = 1 * 1028 * 1028; | ||
| static const Dictionary::Ptr specialContentLengthLimits = new Dictionary({ | ||
| {"*", 512 * 1028 * 1028}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a particular reason why these calculations use 1028 instead of 1 << 10 == 2 ** 10 == 1024?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not really, we can change that. But is it that much faster?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, I think you misunderstood. It's not about performance (the compiler is likely to do the computation at build time anyway) and instead about power of two being the basis for Mebibyte. 1028 isn't a power of two.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh damn, that's a typo > < I'll get that fixed
This PR addresses a number of security issues with the HTTP server. These changes aim prevent the abuse of the API in a way that causes Icinga 2 to crash.
Refs CVE-2018-6532