Default `target={}` value leaks into subsequent `policy.check()` calls
Bug #1397114 reported by
Timur Sufiev
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Mirantis OpenStack |
Fix Committed
|
High
|
Timur Sufiev | ||
| 5.1.x |
Invalid
|
High
|
MOS Maintenance | ||
Bug Description
Due to mutable dictionary being used as the default `target` argument value the first target calculated from scratch in POLICY_CHECK function will be used for all subsequent calls to POLICY_CHECK with 2 arguments. The wrong `target` can either lead to a reduced set of permissions on an entity for a given user, or to enlarged one. Due to independent policy checks at each service side this doesn't pose a serious security breach, but can lead to weird UX behaviour.
This is a clone of upstream security bug.
| description: | updated |
| Changed in mos: | |
| status: | New → Fix Committed |
| milestone: | none → 6.0 |
Revision history for this message
| Timur Sufiev (tsufiev-x) wrote | #1 |
| information type: | Private Security → Public |
Revision history for this message
| Timur Sufiev (tsufiev-x) wrote | #2 |
| no longer affects: | mos/5.1.1-updates |
Revision history for this message
| Fuel Devops McRobotson (fuel-devops-robot) wrote Fix proposed to openstack/horizon (openstack-ci/fuel-7.0/2015.1.0) | #3 |
Revision history for this message
| Fuel Devops McRobotson (fuel-devops-robot) wrote Change abandoned on openstack/horizon (openstack-ci/fuel-7.0/2015.1.0) | #4 |
To post a comment you must log in.
Making public because it's opened in upstream.