Glance

wsgi should limit max body size of a request

Bug #1251313 reported by Nikhil Komawar on 2013-11-14

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Glance	Triaged	Wishlist	Unassigned

Bug Description

Currently the wsgi server does not check for the size of the body in the request and it could result into someone uploading a really big image or infinite steam of data resulting into DOS attack or bringing down the service all together.

Revision history for this message

Mark Washenberger (markwash) wrote on 2013-11-14:

I can't say for certain, but it seems like people would normally solve this problem at their load-balancer level.

Revision history for this message

Dan Prince (dan-prince) wrote on 2013-11-14:

We never applied the wsgi request size limiting middleware to Glance because Glance does actually need to receive rather large files (images). This middleware was always sort of a "if all else fails" approach anyway because as Mark points out there other places (outside of Glance) where request size attacks might be better guarded against.

If we do add any sort of request size checks to glance we'll need to be sure to exclude requests which actually upload image data.

Revision history for this message

Nikhil Komawar (nikhil-komawar) wrote on 2013-11-14:

I was wondering, now that Glance is moving as a public facing endpoint, if we can have a configurable limit on the size of data. That way a small private deployment of Glance for example one in academic institutions (not behind a proxy) can be safe from human errors too.

Revision history for this message

Luke Wollney (luke-wollney) wrote on 2014-02-25:

This is a known failure and was seen while executing recent functional tests

Revision history for this message

Zhi Yan Liu (lzy-dev) wrote on 2014-09-05:

I think we have two ways could go for this issue:

1. To document this issue in operation document to make operator aware this potential issues (e.g. DDOS, memory overflow), and as a solution operator should do a such checking on the length of request payload in their load-balancer or front proxy server.

2. Implement a middleware in OpenStack/Glance to check the length on request.

From the perspective to make OpenStack/Glance function be self-contain, I personally trend to think this issue should be covered by a built-in middleware - way #2. But after talking this with Nova API maintainer, from the perspective to see this as a common potential security defect, the result is we see this could be easier solved by operator in the real productive deployment, so way #1 is more suitable for us.

tags:

added: propose-close

Revision history for this message

Ian Cordasco (icordasc) wrote on 2014-11-17:

So if we are going to choose #1, we need to alert the documentation team. Beyond that, we need to make sure that it's known that we do no validation of the content-length provided by the user. Users expecting an error in those cases will be surprised.

Ian Cordasco (icordasc) on 2014-12-27

Changed in glance:
importance:	Undecided → Wishlist
status:	New → Confirmed
status:	Confirmed → Triaged
tags:	removed: propose-close

Kuo-tung Kao (jelly) (coding1314) on 2015-07-02

Changed in glance:
assignee:	nobody → jelly (coding1314)

Revision history for this message

Ian Cordasco (icordasc) wrote on 2015-07-08:

Hey Jelly,

We prefer that users allow hudson openstack to assign issues appropriately to avoid confusion. When you submit a review for this bug, it will be assigned to you as expected.

Cheers,
Ian

Changed in glance:
assignee:	jelly (coding1314) → nobody

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.