SQL injection through limit parameter
Bug #918608 reported by
Thierry Carrez
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Critical
|
Ziad Sawalha |
Bug Description
Received as encrypted email from Nikita Savin (GridDynamics):
* Background
1) in <=sqlalchemy-0.7.0b limit() function not checked parameter is integer (actually in 0.6.7 in changelog this marked as fixed, but this issue still exists in 0.6.8). http://
2) keystone api not check limit parameter is integer and pass it to sqlaclhemy as is, resulting in sql injection
* Workaround
Upgrade sqlalchemy to >= 0.7.0b
* Patch
straightforward patch for keystone-2012.1 attached
probably it will be good idea to re-write work with API parameters like it done in Glance (with SUPPORT_PARAMS and strict checking)
CVE References
Changed in keystone: | |
status: | Confirmed → In Progress |
Changed in keystone: | |
status: | In Progress → Fix Committed |
Changed in keystone: | |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
status: | Fix Released → Fix Committed |
Changed in keystone: | |
status: | Fix Committed → Fix Released |
visibility: | private → public |
Changed in keystone: | |
milestone: | essex-3 → 2012.1 |
To post a comment you must log in.
Note that this issue raises a new vulnerability process question: should we release advisories for a project that was never officially released ? (My take on it is that it's sufficiently serious for us to do an advisory even if no "official" version exists)