encoded slashes being blocked by Apache

Bug #1717615 reported by Graham Burgess on 2017-09-15
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Charm Helpers
Undecided
Unassigned
OpenStack Heat
Undecided
Unassigned
OpenStack heat charm
Undecided
Unassigned
Ubuntu Cloud Archive
High
Unassigned
Mitaka
High
Unassigned
Newton
High
Unassigned
Ocata
High
Unassigned
python-heatclient (Ubuntu)
High
Unassigned
Xenial
High
Unassigned
Zesty
High
Unassigned

Bug Description

[Impact]
We came across a situation where we were unable to view resources in a stack inside Horizon. We traced it down to a communication problem with the Heat Apache frontend and Heat. After adjusting the log level for Apache, we came across the following error in the logs:

[client 213.173.193.177:33920] AH00026: found %2f (encoded '/') in URI (decoded='/v1/c064a39d602d4f42bc49e09057c97683/stacks/heat_test_foo/b5c125a3-d452-49a1- a12e-03e098fbb38c/resources/foo_vm-01'), returning 404

As a workaround, we currently added the following line to the /etc/apache/sites-enabled/openstack-https_frontend.conf on our Heat instance:

AllowEncodedSlashes On

It is worth noting we tried to use the NoDecode option as well and that is didn't resolve the problem.

[Test Case]
See details in impact section. For our testing we deploy OpenStack with the OpenStack charms to deploy Horizon, Heat, etc.

[Regression Potential]
Low. The patch being backported is from the upstream stable/pike branch. There were some minor adjustments required to apply the patch to earlier releases, but the patches are nearly identical.

tags: added: canonical-sysadmin
tags: added: canonical-bootstack
removed: canonical-sysadmin
Liam Young (gnuoy) wrote :

The OpenStack infra team appear to have hit the same issue: http://lists.openstack.org/pipermail/openstack-dev/2017-May/117312.html

Changed in charm-heat:
status: New → Confirmed
status: Confirmed → Triaged
importance: Undecided → High
Xav Paice (xavpaice) wrote :

I've added Heat and the Ubuntu Cloud Archive packages to this bug since the actual Apache config appears to be coming from the package itself. The charm cowboy applied to make the manual change stick was a charmhelpers change.

In charm/hooks/charmhelpers/contrib/openstack/templates, add:

{% if ext == "7994" %} AllowEncodedSlashes On {% endif %}

FWIW, Xenial, Mitaka.

Xav Paice (xavpaice) on 2017-09-18
affects: cloud-archive → charm-helpers
Rabi Mishra (rabi) wrote :

Historically heat needed 'AllowEncodedSlashes On' for httpd deployment. Howerver, this was changed in pike heat (i.e you don't need to set that flag). python-heatclient 1.10.0[1] includes the relevant fix. Not sure what version of heat and python-heatclient you're using.

[1] https://github.com/openstack/python-heatclient/commit/a625d3bb93a18193058a09cb7887e9cfa4ea9df0

Xav Paice (xavpaice) wrote :

This is Mitaka heat, so we won't have that change in place. That's a much better fix than working around it in charms though.

Any chance of a backport?

Corey Bryant (corey.bryant) wrote :

This appears to be completely fixed in python-heatclient by reverting to the default safe parameter for urllib quote calls [0] (default value is '/' - ie. specifies that '/' should not be quoted).

[0] https://docs.python.org/2/library/urllib.html#urllib.quote

The code base affected for python-heatclient seems to be very similar back to mitaka, so I think we can SRU this via the Ubuntu package.

Changed in python-heatclient (Ubuntu):
status: New → Triaged
importance: Undecided → High
Changed in python-heatclient (Ubuntu Artful):
status: Triaged → Fix Released
no longer affects: python-heatclient (Ubuntu Artful)
no longer affects: cloud-archive/pike
Changed in cloud-archive:
status: New → Invalid
status: Invalid → Fix Released
Changed in charm-helpers:
status: New → Invalid
Changed in heat:
status: New → Invalid
Changed in charm-heat:
status: Triaged → Invalid
importance: High → Undecided
Changed in cloud-archive:
importance: Undecided → High
Corey Bryant (corey.bryant) wrote :

Marked as invalid for charms and upstream heat since this looks to be limited to python-heatclient and is already fixed in upstream python-heatclient.

Changed in python-heatclient (Ubuntu Xenial):
importance: Undecided → High
status: New → Triaged
Changed in python-heatclient (Ubuntu Zesty):
importance: Undecided → High
status: New → Triaged
Corey Bryant (corey.bryant) wrote :

New python-heatclient package versions have been uploaded to the zesty and xenial review queues and are awaying SRU review, and have been uploaded to newton-staging awaiting promotion to newton-proposed:

https://launchpad.net/ubuntu/zesty/+queue?queue_state=1&queue_text=
https://launchpad.net/ubuntu/xenial/+queue?queue_state=1&queue_text=
https://launchpad.net/~ubuntu-cloud-archive/+archive/ubuntu/newton-staging

description: updated

Hello Graham, or anyone else affected,

Accepted python-heatclient into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/python-heatclient/1.8.0-0ubuntu3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-zesty to verification-done-zesty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-zesty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in python-heatclient (Ubuntu Zesty):
status: Triaged → Fix Committed
tags: added: verification-needed verification-needed-zesty
Changed in python-heatclient (Ubuntu Xenial):
status: Triaged → Fix Committed
tags: added: verification-needed-xenial
Łukasz Zemczak (sil2100) wrote :

Hello Graham, or anyone else affected,

Accepted python-heatclient into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/python-heatclient/1.1.0-2ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers