stack_create 500 Error with non-string stack_name
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Heat |
Fix Released
|
High
|
Steven Hardy | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
When sending a stack create request using the REST API through curl with the stack_name parameter set to either a list, or a dictionary a Server Error occurs.
The major problem with this is that when this occurs the response of the request will show what database backend the cloud is utilising whether it be MySQL, or PostgreSQL. This information could be used by a malicious user to exploit the databases. Additionally to the database engine being known, the query itself is also printed in the response.
This occurs regardless of the level of logging being set for the heat service.
This has been seen in the master branch as of 12/01/2016.
I have attached the response of a request with a Traceback.
The data being sent is the following:
{
"files": {},
"disable_
"parameters": {
"flavor": "m1.tiny"
},
"stack_name": {"test": "sample"},
"template": {
}
},
}
}
}
},
"timeout_mins": 60
}
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.
The database schema is already known, I'm not sure leaking the database backend type is really an issue.