500 errors thrown by API if the URL is having specially crafted strings
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
As part of the OSIC teams security review of different OpenStack projects, we identified this issue when fuzzing the cinder API.
## Request
GET http://
X-Auth-Token: gAAAAABY0-
Content-Length: 0
User-Agent: Jakarta Commons-
Host: 127.0.0.1:8776
## Response
HTTP/1.1 500 Internal Server Error
Content-Type: text/plain
Content-Length: 0
Date: Thu, 23 Mar 2017 15:15:04 GMT
Connection: close
## log tail
root@vagrant-
bpath_info = bytes_(
File "/usr/local/
return req.encget(key, encattr=encattr)
File "/usr/local/
return val.decode(
File "/usr/lib/
return codecs.
UnicodeDecodeError: 'utf8' codec can't decode byte 0x99 in position 1: invalid start byte
This is caused by the %99 unicode , this issue is present for any number of code points,
as webob object fails to handle the excepton returned by utf_8.py. This may be handled at cinder API level and so that this does not cause a server error.
description: | updated |
Changed in cinder: | |
assignee: | nobody → Eric Harney (eharney) |
Changed in cinder: | |
status: | New → Confirmed |
Unassigning due to no activity for > 6 months.