OpenStack Shared File Systems Service (Manila)

manila leaks information about volume existance of other projects

Bug #1914363 reported by Liron Kuchlani on 2021-02-03

This bug report is a duplicate of: Bug #1901210: Manila share existence detection. Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Shared File Systems Service (Manila)	New	Undecided	Unassigned

Bug Description

Description of problem:
manilla leaks information about volume existance of other projects

$ manila list
+--------------------------------------+-------+-[...]-+-----------+-[...]-+
| ID
| Name | [...] | Is Public | [...] |
+--------------------------------------+-------+-[...]-+-----------+-[...]-+
| a57cb81d-d5fa-4f92-8898-c13558dc2a67 | arjen | [...] | False
| [...] |
+--------------------------------------+-------+-[...]-+-----------+-[...]-+
$ manila show b0758fbd-bb1c-47e7-875e-b72336111709
ERROR: Policy doesn't allow share:get to be performed. (HTTP 403) (Request-ID: req-50e432e1-
b463-416b-9e79-769e68b9f6b1)
$ manila show b0758fbd-bb1c-47e7-875e-b7233611170f
ERROR: No share with a name or ID of 'b0758fbd-bb1c-47e7-875e-b7233611170f' exists.

In both cases the response should be that the volume doesn't exist, a user should not be able to find out if a volume exists in another project.

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #1901210 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.