SQL Error during update tenant and possibly other calls
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Invalid
|
Low
|
Unassigned |
Bug Description
Attributes in the description cause sql error and 500. Possible injection.
PUT /v2.0/tenants/
Host: <not shown>:35357
X-Auth-Token: <not shown>
Content-Type: application/xml
Accept-Encoding: gzip, deflate, compress
Accept: application/xml
User-Agent: python-
Content-Length: 245
<tenant enabled="false" name="ACME corp" id="1234556">
<description test=""
</tenant>
Response
HTTP/1.1 500 Internal Server Error
Vary: X-Auth-Token
Content-Type: application/xml
Content-Length: 536
Date: Fri, 07 Mar 2014 21:16:52 GMT
<?xml version="1.0" encoding="UTF-8"?>
<error xmlns="http://
summary: |
- SQL Error during update tenant and possible other calls + SQL Error during update tenant and possibly other calls |
Changed in ossa: | |
status: | New → Incomplete |
no longer affects: | ossa |
information type: | Private Security → Public |
Looks like this is just a case of poor input validation (producing a 500 where there should be a 400), and unless it can be demonstrated, I don't see any reason to worry about SQL injection here.