[RFC] HTTP header field values should be quoted by double quote rather than single-quote

Bug #1762362 reported by Hugo Kou on 2018-04-09
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
keystonemiddleware
Medium
wangxiyuan

Bug Description

The returned keystone uri is quoted by single quote.

Www-Authenticate: Keystone uri='http://192.168.56.25:5000/'

```
(python-swiftclient) Hugos-2016-MacBook-Pro:queens-v3 hugo$ curl -i http://192.168.56.70/v1/KEY_fb39df2f478d4b728f9029e334ab4345 -H "X-Auth-Token: abcdefghj"
HTTP/1.1 401 Unauthorized
Content-Length: 131
Content-Type: text/html; charset=UTF-8
Www-Authenticate: Keystone uri='http://192.168.56.25:5000/'
X-Trans-Id: tx91410eb73d194085b553e-005acb3004
X-Openstack-Request-Id: tx91410eb73d194085b553e-005acb3004
Date: Mon, 09 Apr 2018 09:19:03 GMT
```

Based on the RFCs, it should be double quote.

https://tools.ietf.org/html/rfc7230#section-3.2.6
https://tools.ietf.org/html/rfc7235#section-2.1

Hugo Kou (tonytkdk) wrote :

wxy pointed my to the code below. It's quoted by single-quote.

https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/__init__.
py#L681-L683

It could be fixed simply by change the sngle quote to double quote.

Davide (dpanarese) on 2018-04-09
information type: Public → Public Security
information type: Public Security → Public
Lance Bragstad (lbragstad) wrote :

If I interact directly with keystone, double quotes are used with that header [0].

[0] http://paste.openstack.org/show/718753/

Morgan Fainberg (mdrnstm) wrote :

Yeah, this looks like a bad quote string in keystonemiddleware. That said, swift is being more restrictive than other consumers of KSM as we haven't seen this issue elsewhere.

The fix is simple (looks like proposal in comment #1 will work)

Changed in keystonemiddleware:
status: New → Confirmed
importance: Undecided → Medium
wangxiyuan (wangxiyuan) wrote :

Keystone works well because it rewrite the header here:
https://github.com/openstack/keystone/blob/master/keystone/common/wsgi.py#L797

Other services who don't handle it but use keystonemiddleware directly will use single quote. Such as Nova, Cinder, Neutron ,Glance.

Fix proposed to branch: master
Review: https://review.openstack.org/559925

Changed in keystonemiddleware:
assignee: nobody → wangxiyuan (wangxiyuan)
status: Confirmed → In Progress
tags: added: low-hanging-fruit

Reviewed: https://review.openstack.org/559925
Committed: https://git.openstack.org/cgit/openstack/keystonemiddleware/commit/?id=a78a25ea23a940fcc510226a2dd33731d81fb213
Submitter: Zuul
Branch: master

commit a78a25ea23a940fcc510226a2dd33731d81fb213
Author: wangxiyuan <email address hidden>
Date: Tue Apr 10 14:40:13 2018 +0800

    Double quote www_authenticate_uri

    Based on the RFCs[1], in http header, a string of text is parsed
    as a single value if it is quoted using double-quote marks.

    This patch change the single quote to double quote in the header
    "WWW-Authenticate" which is returned when 401 error raises.

    [1]: https://tools.ietf.org/html/rfc7230#section-3.2.6
         https://tools.ietf.org/html/rfc7235#section-2.1

    Change-Id: I524c93d30607ea6ab70de92ceea207ee77f34c25
    Closes-bug: #1762362

Changed in keystonemiddleware:
status: In Progress → Fix Released

This issue was fixed in the openstack/keystonemiddleware 5.1.0 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers