OpenStack Security Advisory

  1. Bug #1482371
  2. Comment #13

Comment 13 for bug 1482371

Revision history for this message
Stuart McLaren (stuart-mclaren) wrote : Re: Image status can be changed by passing header 'x-image-meta-status' with PUT operation using v1

Here's the current behaviour for the various headers which can be supplied:

x-image-meta-location: 400 (ok)
x-image-meta-size: 403 (ok)
x-image-meta-is_public: N/A
x-image-meta-disk_format: N/A
x-image-meta-container_format: N/A
x-image-meta-name: N/A
x-image-meta-status: 200 (bad, bug 1482371)
x-image-meta-copy_from: 200 (dropped, ok)
x-image-meta-uri: 200 (dropped, ok)
x-image-meta-checksum: 403 (ok)
x-image-meta-created_at: 200 (dropped, ok)
x-image-meta-updated_at: 200 (dropped, ok)
x-image-meta-deleted_at: 200 (dropped, ok)
x-image-meta-min_ram: N/A
x-image-meta-min_disk: N/A
x-image-meta-owner: 200 (dropped, ok)
x-image-meta-store: 200 (dropped, ok)
x-image-meta-id: 500 (bad, new bug 1483353)
x-image-meta-protected: N/A
x-image-meta-deleted: 200 (dropped, ok)
x-image-meta-virtual_size: N/A

It probably makes sense to return 403 for 'id', since the current behaviour won't update any other parameters when id is provided.

In the case of status we could consider just ignoring it, ie matching the behaviour of 'owner', ie it is not really something 'settable' in v1, so ignore it.