Glance

Default routes mappings for format, edit and new are present

Bug #1185828 reported by Stuart McLaren on 2013-05-30

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Cinder	Invalid	Undecided	Unassigned
	Glance	Fix Released	Undecided	Stuart McLaren	Glance 2013.2 "havana"

Bug Description

This invalid call:

$ curl -H "x-auth-token: `cat ~/token`" http://localhost:9292/v1/images/detail.xxx

Returns 200 (rather than 404) and also creates a file in the cache area:

$ ls -l /opt/stack/data/glance/cache/detail.xxx
-rw-r----- 1 ubuntu ubuntu 1513 May 30 14:00 /opt/stack/data/glance/cache/detail.xxx

Stuart McLaren (stuart-mclaren) on 2013-05-30

Changed in glance:
assignee:	nobody → Stuart McLaren (stuart-mclaren)

Iccha Sethi (iccha-sethi) on 2013-05-30

Changed in glance:
status:	New → Confirmed

Revision history for this message

Stuart McLaren (stuart-mclaren) wrote on 2013-05-30:

This seems to be generic -- we've confirmed that cinder also treats non-valid urls as valid.

Revision history for this message

Duncan Thomas (duncan-thomas) wrote on 2013-05-30:

Cinder example (subtly redacted):

$ curl -i https://region-b.geo-1.block.hpcloudsvc.com/v1/123456/volumes/detail.xxx -X GET -H "X-Auth-Project-Id: <email address hidden>" -H "User-Agent: python-cinderclient" -H "Accept: application/json" -H "X-Auth-Token: HPAuth10_abcdef1234567890"
HTTP/1.1 200 OK
Content-Length: 340
Content-Type: application/json
Date: Thu, 30 May 2013 16:26:51 GMT
X-Compute-Request-Id: req-f11111b-39e9-4a2d-ab37-4d98591c4b64

{"volumes": [{"status": "available", "display_name": null, "attachments": [], "availability_zone": "az1", "bootable": "false", "created_at": "2013-05-16T13:48:11.000000", "display_description": null, "volume_type": "None", "snapshot_id": null, "source_volid": null, "metadata": {}, "id": "34a9d0cd-a74c-4b52-8067-db1234c0590f", "size": 1}]}

Changed in cinder:
status:	New → Confirmed

Revision history for this message

Stuart McLaren (stuart-mclaren) wrote on 2013-05-31:

Printing out the v1 route mapper, it looks like this:

                            POST /images.:(format)
                            POST /images
formatted_detail_images GET /images/detail.:(format)
detail_images GET /images/detail
formatted_images GET /images.:(format)
images GET /images
formatted_new_image GET /images/new.:(format)
new_image GET /images/new
                            PUT /images/:(id).:(format)
                            PUT /images/:(id)
                            DELETE /images/:(id).:(format)
                            DELETE /images/:(id)
formatted_edit_image GET /images/:(id)/edit.:(format)
edit_image GET /images/:(id)/edit
formatted_image GET /images/:(id).:(format)
image GET /images/:(id)
                                    /
                            HEAD /images/{id}
                            POST /images/:image_id/members.:(format)
                            POST /images/:image_id/members
formatted_image_members GET /images/:image_id/members.:(format)
image_members GET /images/:image_id/members
formatted_image_new_member GET /images/:image_id/members/new.:(format)
image_new_member GET /images/:image_id/members/new
                            PUT /images/:image_id/members/:(id).:(format)
                            PUT /images/:image_id/members/:(id)
                            DELETE /images/:image_id/members/:(id).:(format)
                            DELETE /images/:image_id/members/:(id)
formatted_image_edit_member GET /images/:image_id/members/:(id)/edit.:(format)
image_edit_member GET /images/:image_id/members/:(id)/edit
formatted_image_member GET /images/:image_id/members/:(id).:(format)
image_member GET /images/:image_id/members/:(id)
                                    /shared-images/{id}
                            PUT /images/{image_id}/members

so all these URLs can be accessed, eg:

$ curl -v -k -H 'x-auth-token: XXX' https://localhost:9292/v1/images/new

is actually considered a route 'match' and returns a 500 rather than a 404.

Printing out the v1 route mapper, it looks like this:

POST    /images.:(format)
                            POST    /images
formatted_detail_images     GET     /images/detail.:(format)
detail_images               GET     /images/detail
formatted_images            GET     /images.:(format)
images                      GET     /images
formatted_new_image         GET     /images/new.:(format)
new_image                   GET     /images/new
                            PUT     /images/:(id).:(format)
                            PUT     /images/:(id)
                            DELETE  /images/:(id).:(format)
                            DELETE  /images/:(id)
formatted_edit_image        GET     /images/:(id)/edit.:(format)
edit_image                  GET     /images/:(id)/edit
formatted_image             GET     /images/:(id).:(format)
image                       GET     /images/:(id)
                                    /
                            HEAD    /images/{id}
                            POST    /images/:image_id/members.:(format)
                            POST    /images/:image_id/members
formatted_image_members     GET     /images/:image_id/members.:(format)
image_members               GET     /images/:image_id/members
formatted_image_new_member  GET     /images/:image_id/members/new.:(format)
image_new_member            GET     /images/:image_id/members/new
                            PUT     /images/:image_id/members/:(id).:(format)
                            PUT     /images/:image_id/members/:(id)
                            DELETE  /images/:image_id/members/:(id).:(format)
                            DELETE  /images/:image_id/members/:(id)
formatted_image_edit_member GET     /images/:image_id/members/:(id)/edit.:(format)
image_edit_member           GET     /images/:image_id/members/:(id)/edit
formatted_image_member      GET     /images/:image_id/members/:(id).:(format)
image_member                GET     /images/:image_id/members/:(id)
                                    /shared-images/{id}
                            PUT     /images/{image_id}/members

so all these URLs can be accessed, eg:

$ curl -v  -k -H 'x-auth-token: XXX' https://localhost:9292/v1/images/new

is actually considered a route 'match' and returns a 500 rather than a 404.

information type:

Public → Private Security

Thierry Carrez (ttx) on 2013-05-31

information type:

Private Security → Public

Stuart McLaren (stuart-mclaren) on 2013-05-31

summary:

- Invalid path names can return 200 and store file in cache
+ Default routes mappings for format, edit and new are present

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-05-31: Fix proposed to glance (master)

Fix proposed to branch: master
Review: https://review.openstack.org/31221

Changed in glance:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-06-12: Fix merged to glance (master)

Reviewed: https://review.openstack.org/31221
Committed: http://github.com/openstack/glance/commit/519c0a6be124468d2158cd8e5f7f08f7dcd55125
Submitter: Jenkins
Branch: master

commit 519c0a6be124468d2158cd8e5f7f08f7dcd55125
Author: Stuart McLaren <email address hidden>
Date: Fri May 31 14:20:40 2013 +0000

Remove routes collection mappings

    When using the routes mapper's collection to map from URLs to
    python functions several additional URIs are created by
    default: 'new', 'format' and 'edit', eg this URI

/v1/images/new

was accessible and would return a '500'.

/v1/images/detail.xxx

was accessible and a 'GET' to it would create a file called 'detail.xxx'
in the image cache directory (where 'xxx' is an arbitrary string).

Similar resources for image memberships existed.

Other collection URIs (for both the API and Registry) would return
unexpected behaviour.

Use explicit mappings rather than a 'collection' to remove
the superfluous resources.

Fixes bug 1185828.

Change-Id: I2f451f0208d43cdc83dcf58a41ea31359b18fcf2

Changed in glance:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2013-07-17

Changed in glance:
milestone:	none → havana-2
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2013-10-17

Changed in glance:
milestone:	havana-2 → 2013.2

Revision history for this message

Rushi Agrawal (rushiagr) wrote on 2014-10-11:

Can't reproduce with latest cinder. Please revert the status if it can be reproduced again..

Changed in cinder:
status:	Confirmed → Incomplete

Revision history for this message

Sean McGinnis (sean-mcginnis) wrote on 2015-10-31: Cleanup

Closing stale bug. If this is still an issue please reopen.

Changed in cinder:
status:	Incomplete → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.