500 errors thrown by API if the URL is having specially crafted strings

Bug #1679288 reported by Rahul U Nair
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Cinder
Confirmed
Undecided
Unassigned

Bug Description

As part of the OSIC teams security review of different OpenStack projects, we identified this issue when fuzzing the cinder API.

## Request

GET http://127.0.0.1:8776/v3/%99/volumes HTTP/1.1
X-Auth-Token: gAAAAABY0-YrntrLI8rDZdoOIoyAQ0dJ5VC7f-Tma2nBiLZOijW4-Ox-3TVRAK4A5G0MGn54QadVMrIs2r-AYXpE0YwxKnHO8XNzRSzP-1vQAg5L0IrhMjHWIKqsot9yoHhrAc6-BBfmIBBU0TKQvOIc-ivhuzSuJyDcKAEA3gZSETX5BR7fuIA
Content-Length: 0
User-Agent: Jakarta Commons-HttpClient/3.1
Host: 127.0.0.1:8776

## Response

HTTP/1.1 500 Internal Server Error
Content-Type: text/plain
Content-Length: 0
Date: Thu, 23 Mar 2017 15:15:04 GMT
Connection: close

## log tail

root@vagrant-ubuntu-trusty-64:/opt/stack/logs# tail -f c-api.log
    bpath_info = bytes_(self.path_info, self.url_encoding)
  File "/usr/local/lib/python2.7/dist-packages/webob/descriptors.py", line 68, in fget
    return req.encget(key, encattr=encattr)
  File "/usr/local/lib/python2.7/dist-packages/webob/request.py", line 177, in encget
    return val.decode(encoding)
  File "/usr/lib/python2.7/encodings/utf_8.py", line 16, in decode
    return codecs.utf_8_decode(input, errors, True)
UnicodeDecodeError: 'utf8' codec can't decode byte 0x99 in position 1: invalid start byte

This is caused by the %99 unicode , this issue is present for any number of code points,
as webob object fails to handle the excepton returned by utf_8.py. This may be handled at cinder API level and so that this does not cause a server error.

description: updated
Eric Harney (eharney)
Changed in cinder:
assignee: nobody → Eric Harney (eharney)
Changed in cinder:
status: New → Confirmed
Revision history for this message
Sean McGinnis (sean-mcginnis) wrote : Bug Assignee Expired

Unassigning due to no activity for > 6 months.

Changed in cinder:
assignee: Eric Harney (eharney) → nobody
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.