Default `target={}` value leaks into subsequent `policy.check()` calls
Bug #1397114 reported by
Timur Sufiev
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mirantis OpenStack |
Fix Committed
|
High
|
Timur Sufiev | ||
5.1.x |
Invalid
|
High
|
MOS Maintenance |
Bug Description
Due to mutable dictionary being used as the default `target` argument value the first target calculated from scratch in POLICY_CHECK function will be used for all subsequent calls to POLICY_CHECK with 2 arguments. The wrong `target` can either lead to a reduced set of permissions on an entity for a given user, or to enlarged one. Due to independent policy checks at each service side this doesn't pose a serious security breach, but can lead to weird UX behaviour.
This is a clone of upstream security bug.
description: | updated |
Changed in mos: | |
status: | New → Fix Committed |
milestone: | none → 6.0 |
no longer affects: | mos/5.1.1-updates |
To post a comment you must log in.
Making public because it's opened in upstream.