OpenStack Security Advisory

Overview
Code
Bugs
Blueprints
Translations
Answers

Bug #1453948
Comment #12

Comment 12 for bug 1453948

Revision history for this message

clayg (clay-gerrard) wrote on 2015-07-24: Re: all PUT tempurls leak existence via DLO manifest attack

#12

fix-patch-for-kota.patch Edit (7.4 KiB, text/plain)

@Kota I want the explicit error because if someone is trying to make a dlo via tempurl they are either

a) trying to validate this security hole and they will know they are patched/hozed by the 400

b) trying to use this vulnerability as a make shift temporary-large-object-upload feature and should be told explicitly that we have broken this workflow because it was not safe and they will need to force us to implement some support for this use case (probably via for tempurl signatures in slo's FWIW).

I retested Kota's patch and I think the only thing that is missing is the Co-Author line ;)