Request handler allows to call internal functions
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Object Storage (swift) |
Fix Released
|
Medium
|
Ionuț Arțăriși |
Bug Description
Hi,
let me copy-and-paste here what Sebastian Krahmer <email address hidden> founds.
Can you verify the findings of Sebastian please. Thanks a lot.
Sebastian Krahmer 2012-05-07 14:49:29 CEST
The SWIFT object storage from openstack (swift-1.4.8) has the
following issue:
Sebastian Krahmer 2012-05-07 14:52:21 CEST
The way the request handler is called is insecure.
It should only allow PUT/POST etc. but not to call
internal object functions:
[...]
def __call__(self, env, start_response):
"""WSGI Application entry point for the Swift Object Server."""
start_time = time.time()
req = Request(env)
if not check_utf8(
res = HTTPPreconditio
else:
try:
if hasattr(self, req.method):
[...]
so as long as the req.method string is an attribute of the object,
it can be called. Should better check to be one of PUT/POST etc.
for safety.
description: | updated |
Changed in swift: | |
assignee: | nobody → Ionuț Arțăriși (iartarisi) |
status: | Triaged → In Progress |
Changed in swift: | |
milestone: | none → 1.6.0 |
status: | Fix Committed → Fix Released |
1) Do you have a working exploit for this?
2) My first idea on solving this is to use system used in the proxy server: mark public methods with the public() decorator and deny requests not marked as public. Do you think that would solve this issue?