oslo.messaging

  1. Bug #2030976
  2. Comment #39

Comment 39 for bug 2030976

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to oslo.messaging (stable/2023.1)

Reviewed: https://review.opendev.org/c/openstack/oslo.messaging/+/891742
Committed: https://opendev.org/openstack/oslo.messaging/commit/6aa3c6fd389289507f40d22a83253100ddbb169d
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit 6aa3c6fd389289507f40d22a83253100ddbb169d
Author: Jay Faulkner <email address hidden>
Date: Thu Aug 10 11:28:32 2023 -0700

    Only allow safe context fields in notifications

    Publishing a fully hydrated context object in a notification would give
    someone with access to that notification the ability to impersonate the
    original actor through inclusion of sensitive fields.

    Now, instead, we pare down the context object to the bare minimum before
    passing it for serialization in notification workflows.

    Closes-bug: 2030976
    Change-Id: Ic94323658c89df1c1ff32f511ca23502317d0f00
    (cherry picked from commit 1b315615e7dc61dbf845bd663560fc8d5a18fa09)