OpenStack Security Advisory

Bug #1453948
Comment #11

Comment 11 for bug 1453948

Revision history for this message

Kota Tsuyuzaki (tsuyuzaki-kota) wrote on 2015-07-24: Re: all PUT tempurls leak existence via DLO manifest attack

#11

fix-tempurl-for-clayg.diff Edit (7.3 KiB, text/plain)

@Clay

Here for you adding the self.fail to functional if manifest file upload succeeded.

Code looks good but just a question from me. Is this bug already defined as class A? If so, no problem to merge attached patch I guess.

However, if classified as B or so, I am wondering if we could take another option (or not? I'm not sure) that we can add 'x-object-manifest' to incoming_remove_headers at tempurl config as default. The way I'm now suggesting here allows to put object with 'x-object-manifest' header (will succeed as 201) but actually Swift will store the empty object w/o the header. The reason I talk about this is that currently Swift doesn't block similar uploading case for *SLO*. Note that SLO doesn't have security issue like this for now because tempurl PUT seems to drop "multipart-manifest=put" query. Therefore "blocking as 400" vs "Allowing to store but modified silently like SLO".