Traceback is sent to client
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Heat |
Fix Released
|
High
|
Clint Byrum |
Bug Description
Tracebacks are being sent to the client and, in turn, expose server internals that could be used in an exploit:
stack@devstack3
ERROR: Traceback (most recent call last):
File "/usr/local/
try:
File "/usr/local/
resp = self.call_func(req, *args, **self.kwargs)
File "/usr/local/
return self.func(req, *args, **kwargs)
File "/opt/stack/
"""
File "/usr/local/
application, catch_exc_
File "/usr/local/
app_iter = application(
File "/opt/stack/
return self.app(env, start_response)
File "/usr/local/
resp = self.call_func(req, *args, **self.kwargs)
File "/usr/local/
return self.func(req, *args, **kwargs)
File "/opt/stack/
"""
File "/usr/local/
application, catch_exc_
File "/usr/local/
app_iter = application(
File "/usr/local/
return resp(environ, start_response)
File "/usr/lib/
response = self.app(environ, start_response)
File "/usr/local/
return resp(environ, start_response)
File "/usr/local/
resp = self.call_func(req, *args, **self.kwargs)
File "/usr/local/
return self.func(req, *args, **kwargs)
File "/opt/stack/
action_result = self.dispatch(
File "/opt/stack/
except Exception:
File "/opt/stack/
return handle_stack_method
File "/opt/stack/
return handle_stack_method
File "/opt/stack/
File "/opt/stack/
stack_
File "/opt/stack/
result = rpc.call(context, real_topic, msg, timeout)
File "/opt/stack/
_check_
File "/opt/stack/
rpc_
File "/opt/stack/
rv = list(rv)
File "/opt/stack/
raise result
ActionInProgres
Traceback (most recent call last):
File "/opt/stack/
**args)
File "/opt/stack/
result = getattr(proxyobj, method)(ctxt, **kwargs)
File "/opt/stack/
return func(self, ctx, *args, **kwargs)
File "/opt/stack/
action=
ActionInProgress: Stack test1376073183 already has an action (CREATE) in progress
The full traceback should remain in the engine debug output only unless the engine is explicitly configured to send the info to the client.
information type: | Private Security → Public |
description: | updated |
Changed in heat: | |
importance: | Undecided → Medium |
milestone: | none → havana-rc1 |
Changed in heat: | |
status: | New → Triaged |
Changed in heat: | |
assignee: | nobody → Clint Byrum (clint-fewbar) |
Changed in heat: | |
status: | Fix Committed → Fix Released |
Changed in heat: | |
milestone: | havana-rc1 → 2013.2 |
Changed in heat: | |
importance: | Medium → High |
Is this still happening w/latest master? Several patches have been merged recently around exception formatting, so would be good to check if this can be closed as a dupe of one of those bugs..