rpc review: allowed_rpc_exception_modules configuration option
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
oslo-incubator |
Fix Released
|
Medium
|
Unassigned |
Bug Description
RPC allows exceptions to be serialized and deserialized in call/multicall.
The json payload includes the module name and name of the exception class. On the consumer side, we load that module and instantiate the class.
We have a whitelist of module names from which we will load exceptions. The idea here is to prevent the client from having the server load and execute arbitrary code.
Currently, this is configurable via the allowed_
So, it seems what we really want is an allowed_
For reference, the option was originally added here - https:/
summary: |
- rpc review: allowed_rpc_exception_modules + rpc review: allowed_rpc_exception_modules configuration option |
Changed in openstack-common: | |
milestone: | folsom-3 → none |
affects: | openstack-common → oslo |
Supported now by allowed_ remote_ exmods in oslo.messaging
See http:// docs.openstack. org/developer/ oslo.messaging/ transport. html