Comment 0 for bug 1613901
Revision history for this message
| Charles Neill (charles-neill) wrote String "..%c0%af" causes 500 errors in multiple locations in Keystone v3 | #0 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
While doing some testing on Keystone using Syntribos (https:/
Here are some examples:
=========
DELETE /v3/policies/
Host: [REDACTED]:5000
Connection: close
Accept-Encoding: gzip, deflate
Accept: application/json
User-Agent: python-
X-Auth-Token: [REDACTED]
Content-Length: 0
HTTP/1.1 500 Internal Server Error
Date: Tue, 16 Aug 2016 22:04:27 GMT
Server: Apache/2.4.7 (Ubuntu)
Vary: X-Auth-Token
X-Distribution: Ubuntu
x-openstack-
Content-Length: 143
Connection: close
Content-Type: application/json
{"error": {"message": "An unexpected error prevented the server from fulfilling your request.", "code": 500, "title": "Internal Server Error"}}
=========
PATCH /v3/policies/
Host: [REDACTED]:5000
Connection: close
Accept-Encoding: gzip, deflate
Accept: application/json
User-Agent: python-
Content-type: application/json
X-Auth-Token: [REDACTED]
Content-Length: 70
{"type": "--serializatio
HTTP/1.1 500 Internal Server Error
Date: Tue, 16 Aug 2016 22:05:36 GMT
Server: Apache/2.4.7 (Ubuntu)
Vary: X-Auth-Token
X-Distribution: Ubuntu
x-openstack-
Content-Length: 143
Connection: close
Content-Type: application/json
{"error": {"message": "An unexpected error prevented the server from fulfilling your request.", "code": 500, "title": "Internal Server Error"}}
=========
GET /v3/domains/
Host: [REDACTED]:5000
Connection: close
Accept-Encoding: gzip, deflate
Accept: application/json
User-Agent: python-
X-Auth-Token: [REDACTED]
HTTP/1.1 500 Internal Server Error
Date: Tue, 16 Aug 2016 22:07:09 GMT
Server: Apache/2.4.7 (Ubuntu)
Vary: X-Auth-Token
X-Distribution: Ubuntu
x-openstack-
Content-Length: 143
Connection: close
Content-Type: application/json
{"error": {"message": "An unexpected error prevented the server from fulfilling your request.", "code": 500, "title": "Internal Server Error"}}
=========
I've marked this as a security issue as a precaution in case it turns out that there is a more serious vulnerability underlying these errors. We have no reason to suspect that there is a greater vulnerability at this time, but given the many endpoints this seems to affect, I figured caution was worthwhile since this may be a framework-wide issue. Feel free to make this public if it is determined not to be security-impacting.
Here is a (possibly incomplete) list of affected endpoints. Inserting the string "..%c0%af" in any or all of the spots labeled "HERE" should yield a 500 error. As you can see, virtually all v3 endpoints exhibit this behavior.
=========
[GET|PATCH|DELETE] /v3/endpoints/
[GET|PATCH] /v3/domains/[HERE]
GET /v3/domains/
[HEAD|PUT|DELETE] /v3/domains/
GET /v3/domains/
[HEAD|DELETE] /v3/domains/
[GET|PATCH|DELETE] /v3/groups/[HERE]
[HEAD|PUT|DELETE] /v3/groups[
[POST|DELETE] /v3/keys/[HERE]
[GET|PATCH|DELETE] /v3/policies/[HERE]
[GET|PUT|DELETE] /v3/policies/
[GET|HEAD] /v3/policies/
[GET|PUT|DELETE] /v3/policies/
[PUT|DELETE] /v3/policies/
[GET|PUT|DELETE] /v3/policies/
[GET|PATCH|DELETE] /v3/projects/[HERE]
[DELETE|PATCH] /v3/projects/
GET /v3/projects/
GET /v3/projects/
[HEAD|PUT|DELETE] /v3/projects/
[GET|PATCH|DELETE] /v3/regions/[HERE]
[PATCH|DELETE] /v3/roles/[HERE]
[GET|PATCH|DELETE] /v3/services/[HERE]
[GET|PATCH|DELETE] /v3/users/[HERE]
GET /v3/users/
POST /v3/users/
GET /v3/users/
GET /v3/OS-
[GET|PATCH|DELETE] /v3/OS-
[GET|DELETE] /v3/OS-