400 Bad Request not raised for string values of 'enabled'
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Justin Shepherd |
Bug Description
Some time between folsom and grizzly, the type of the enabled field in the keystone project table was changed from string (u'true'/u'false') to boolean (1/0), which is a good thing. However, before, the API accepted a POST call to /v2.0/tenants with a json payload containing
"enabled": "true"
Using the same payload now results in an invalid SQL query:
ERROR invalid literal for int() with base 10: 'true' (original cause: ValueError: invalid literal for int() with base 10: 'true') 'INSERT INTO project (id, name, domain_id, description, enabled, extra) VALUES (%s, %s, %s, %s, %s, %s)' [{'description': None, 'extra': {}, 'enabled': u'true', 'id': 'bf9788701b0e46
The solution is to use
"enabled": "1"
as the JSON payload. IMHO this is a bug, since:
1) A formerly valid way to use the API does not work anymore, without a change in the API version number.
2) The string 'true' is passed to the SQL statement without any validation. In fact, any string I put in the JSON is given straight to the database. I haven't tried to do SQL injection though, since I don't want to destroy my DB.
3) The error message should really be improved. IMHO, there should be no 500 internal server errors originating from an invalid SQL caused by an invalid use of the API at all.
Btw. The same happens for user creation on POST /v2.0/users.
Changed in keystone: | |
status: | New → Confirmed |
tags: | added: grizzly-backport-potential |
Changed in keystone: | |
milestone: | none → havana-2 |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | havana-2 → 2013.2 |
tags: | removed: grizzly-backport-potential |
The correct solution is to use {"enabled": true} (an actual JSON boolean). I'd argue that "true" was never valid, and neither is "1" -- both values should raise a 400 Bad Request back to the API.