Default `target={}` value leaks into subsequent `policy.check()` calls
Bug #1396544 reported by
Timur Sufiev
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Fix Released
|
High
|
Timur Sufiev | ||
Icehouse |
Fix Released
|
High
|
Timur Sufiev | ||
Juno |
Fix Released
|
High
|
Timur Sufiev | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
Due to mutable dictionary being used as the default `target` argument value the first target calculated from scratch in POLICY_CHECK function will be used for all subsequent calls to POLICY_CHECK with 2 arguments. The wrong `target` can either lead to a reduced set of operations on an entity for a given user, or to enlarged one. The latter case poses a security breach from an cloud operators' point of view.
Changed in horizon: | |
status: | New → Confirmed |
tags: | removed: icehouse-backport-potential juno-backport-potential |
Changed in horizon: | |
milestone: | none → kilo-1 |
Changed in horizon: | |
status: | Fix Committed → Fix Released |
Changed in horizon: | |
milestone: | kilo-1 → 2015.1.0 |
To post a comment you must log in.
I'm not sure if this can be intentionally exploited, and after chatting with Timur some more on IRC I suspect this mainly creates a huge UX hassle (that we definitely want to fix asap) and the security implications may be limited, because in the end the other services' policies will take over and prevent the end-user from accessing data or performing actions they're not allowed to. I could be missing something though.
Also, applying the patch (which looks fine to me and gets my +2) appears to resolve the random access issues highlighted in bug 1382316.
We will definitely want to backport this to Juno and Icehouse as well (the current patch only applies cleanly onto master at the moment).