Comment 16 for bug 1482371
Revision history for this message
| Flavio Percoco (flaper87) wrote Re: Image status can be changed by passing header 'x-image-meta-status' with PUT operation using v1 | #16 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
I think the order of validation should be:
1) Check whether the header being passed is valid/allowed.
2) Check if the value provided is valid.
The reason I believe the above is correct s that doing it the other way around we'd give the attacker hints of what status are valid. This might not be such a big issue since image's status are public anyway but still, I believe that would be the right workflow.
There's no point on letting the user guess the right status to then let the user know that status can't be updated.
Hope the above makes sense.