Some id arguments for the OSAPI queries should only take numeric arguments, but this is not verified before passing the id to the db api. In case of mysql this leads for example to automatic truncation of non-numeric characters from the end of the string.
Lets say there's a floating ip entry with id=123. If you issue a request to: "https://api/v1.1/tenant/os-floating-ips/123zzzz", you will get the floating ip 123 in response. The following line will be logged:
2012-11-12 18:11:03 WARNING nova.common.deprecated [req-21324670-f110-4eb1-8c35-bb1aa5581edb None None] Truncated incorrect DOUBLE value: '123zzzz'
Although this is a trivial thing in this example, probably the code should be fixed or at least reviewed in case there's a possibility of circumventing some security check. (for example if the check passes for non-existant ids, but then allows access on a stripped id)
This bug is likely to happen on more resources than just os-floating-ips.
I believe this issue happens only with a mysql database, but this may not be correct - other ones may have a similar behaviour.
Fix proposed to branch: master /review. openstack. org/52459
Review: https:/