OpenStack Identity (keystone)

  1. Series essex
  2. Bug #1098307
  3. Comment #30

Comment 30 for bug 1098307

Revision history for this message
Dan Prince (dan-prince) wrote : Re: unauthenticated POST to /tokens can fill up disk/logs

Dolphm: I think you are spot on. Obviously both of these patches are important... but I do feel like the immediate exploit might be better handled by this patch which takes a more fined grained approach.

Both this patch and what I did in https://review.openstack.org/#/c/19567/ prevent the issue however. I did 19567 as a catch all to prevent other things we might not know about... not necessarily to supplant the checks here.

-----

I'll look into making MAX_PARAM_SIZE a config variable. I suppose I based this roughly on the max size of the SQL backend (which to me seemed like a reasonable default).

ayoung: I do think the MAX_TOKEN_SIZE is going to need to be larged than MAX_PARAM_SIZE so it warrants either an extra config or global.