openstack-api-site

Reject overly-taxing ranged-GET requests

Bug #1373732 reported by OpenStack Infra
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openstack-api-site
Fix Released
Medium
Diane Fleming
openstack-api-site mitaka

Bug Description

https://review.openstack.org/117579
commit 4d23a0fcf5faa6339a1a58fcbdab8687a6c88feb
Author: Samuel Merritt <email address hidden>
Date: Thu Aug 28 09:39:38 2014 -0800

    Reject overly-taxing ranged-GET requests

    RFC 7233 says that servers MAY reject egregious range-GET requests
    such as requests with hundreds of ranges, requests with non-ascending
    ranges, and so on.

    Such requests are fairly hard for Swift to process. Consider a Range
    header that asks for the first byte of every 10th MiB in a 4 GiB
    object, but in some random order. That'll cause a lot of seeks on the
    object server, but the corresponding response body is quite small in
    comparison to the workload.

    This commit makes Swift reject, with a 416 response, any ranged GET
    request with more than fifty ranges, more than three overlapping
    ranges, or more than eight non-increasing ranges.

    This is a necessary prerequisite for supporting multi-range GETs on
    large objects. Otherwise, a malicious user could construct a Range
    header with hundreds of byte ranges where each individual byterange
    requires the proxy to contact a different object server. If seeking
    all over a disk is bad, connecting all over the cluster is way worse.

    DocImpact

    Change-Id: I4dcedcaae6c3deada06a0223479e611094d57234

Tags: swift
Anne Gentle (annegentle)
no longer affects: openstack-manuals
Changed in openstack-api-site:
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Atsushi SAKAI (sakaia) wrote :

This seems "Range" issue.
And this is not a problem for usual case.
The problematic case is overlapping the range (to attack data transfer)
So I think it is no need to write down.
If it still needs description, it needs to write Note on Range.
http://developer.openstack.org/api-ref-objectstorage-v1.html#getObject

Diane Fleming (diane-fleming)
Changed in openstack-api-site:
assignee: nobody → Diane Fleming (diane-fleming)
milestone: none → mitaka
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to api-site (master)

Fix proposed to branch: master
Review: https://review.openstack.org/262871

Changed in openstack-api-site:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to api-site (master)

Reviewed: https://review.openstack.org/262871
Committed: https://git.openstack.org/cgit/openstack/api-site/commit/?id=40c0e291b5af2a6083e3a54df15413ae03e16342
Submitter: Jenkins
Branch: master

commit 40c0e291b5af2a6083e3a54df15413ae03e16342
Author: Diane Fleming <email address hidden>
Date: Fri Jan 1 11:43:16 2016 -0600

    Add note about 416 return code for overtaxed ranged GET requests

    Change-Id: I4eda8f1c22ba12863340f8050ecb18d9ce04cd13
    Closes-Bug: #1373732

Changed in openstack-api-site:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.