neutron

response of normal user update the "shared" property of network

Bug #1352907 reported by KaiLin on 2014-08-05

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Medium	Kevin Benton	neutron 2014.2 "juno"

Bug Description

I used a normal user to create a network successfully,then I wanted to update the "shared" property of the network.
It failed,and response 404 erorr,the message is :The resource could not be found.But I have created the network,it is so strange.

I check the policy.json of neutron, the rule is: "update_network:shared": "rule:admin_only", so the normal user can't update it.
So the error information is wrong.

Check the code:
    def update(self, request, id, body=None, **kwargs):
        """Updates the specified entity's attributes."""
      ......
      ......
        try:
            policy.enforce(request.context,
                           action,
                           orig_obj)
        except exceptions.PolicyNotAuthorized:
            # To avoid giving away information, pretend that it
            # doesn't exist
            msg = _('The resource could not be found.')
            raise webob.exc.HTTPNotFound(msg)

I think we couldn't provide the wrong response information to avoid giving away information,and there isn't any information that need to avoid giving away here, So I think it is a bug.

I suggest to modify the code like this:
       try:
            policy.enforce(request.context,
                           action,
                           orig_obj)
        except exceptions.PolicyNotAuthorized:
            # To avoid giving away information, pretend that it
            # doesn't exist
            # msg = _('The resource could not be found.')

raise webob.exc.HTTPForbidden(exceptions.PolicyNotAuthorized.message)

Tags:

KaiLin (linkai3) on 2014-08-05

affects:

openstack-manuals → neutron

Revision history for this message

Kevin Benton (kevinbenton) wrote on 2014-08-05:

The problem is that this is the same enforcement error that someone will receive if they try to update someone else's network. By returning a 403 instead of a 404, we would reveal information about which networks exist.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-08-05: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/112150

Changed in neutron:
assignee:	nobody → Kevin Benton (kevinbenton)
status:	New → In Progress

Akihiro Motoki (amotoki) on 2014-08-07

Changed in neutron:
importance:	Undecided → Medium
milestone:	none → juno-3
tags:	added: neutron-core

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-08-07: Fix merged to neutron (master)

Reviewed: https://review.openstack.org/112150
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=cfea218390605e2fe34b225ffa75b8b5c141f0b9
Submitter: Jenkins
Branch: master

commit cfea218390605e2fe34b225ffa75b8b5c141f0b9
Author: Kevin Benton <email address hidden>
Date: Thu Jul 31 18:13:52 2014 -0700

Return 403 instead of 404 on attr policy failures

    Return an HTTP Forbidden code (403) instead of an
    HTTP Not Found code (404) if a tenant is trying to
    update it's own object. This is a safe adjustment
    since the tenant already knows this object exists
    so pretending it doesn't isn't improving secuirty
    as much as it is causing confusion.

Closes-Bug: #1352907
Change-Id: I021ba6f890dfbabddd53e75c63083f5da0ecfdec

Changed in neutron:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2014-09-04

Changed in neutron:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2014-10-16

Changed in neutron:
milestone:	juno-3 → 2014.2

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #1296953

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.