neutron

quota API missing input validation

Bug #1688024 reported by Matthew Edmonds on 2017-05-03

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	New	Undecided	Yan Songming

Bug Description

As seen with the following curl command, neutron accepts float values for quotas that should require ints. It coverts them to an int, but it should have returned HTTP 400 instead. The conversion it's doing may or may not have the same results in python3 as it does here in python2, so that's another potential concern.

curl -s -X PUT http://localhost:9696/v2.0/quotas/c4d15a1adc0a4cd89006d4db0a2bdfed -H "Accept: application/json" -H "X-Auth-Token: <my_token>" -H "Content-Type: application/json" -d '{"quota": {"floatingip": 2.9}}' | python -m json.tool
{
    "quota": {
        "floatingip": 2,
        "network": -1,
        "port": -1,
        "rbac_policy": 10,
        "router": 10,
        "security_group": 10,
        "security_group_rule": 100,
        "subnet": -1,
        "subnetpool": -1
    }
}

Revision history for this message

Matthew Edmonds (edmondsw) wrote on 2017-05-03:

probably requires a fix similar to https://review.openstack.org/#/c/451316/ that was made for cinder.

Yan Songming (songmingyan) on 2017-05-04

Changed in neutron:
assignee:	nobody → Yan Songming (songmingyan)

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.