Neutron API responses should not contain tracebacks
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Low
|
Bence Romsics |
Bug Description
Security folks found some corner cases in the neutron API where the response contains a traceback, for example:
$ curl --request-target foo -k http://
Traceback (most recent call last):
File "/usr/local/
result = self.applicatio
File "/usr/local/
path_info = self.normalize_
File "/usr/local/
assert (not url or url.startswith('/')
AssertionError: URL fragments must start with / or http:// (you gave 'foo')
As a developer I don't mind such tracebacks, but I see their point that this may give away unwanted information to an attacker. On the other hand I would not consider this in itself a vulnerability.
Pushing a trivial fix in a minute.
Fix proposed to branch: master /review. opendev. org/c/openstack /neutron/ +/818391
Review: https:/