We should consider the middleware ordering as a security issue in openstack/puppet-swift.
Draft Impact Description:
When adding ::swift::proxy::staticweb class, 'staticweb' middleware section will be added before Keystone options but the staticweb middleware needs to be put after authentication middlewares to
ensure correct functionality as documented in http://docs.openstack.org/developer/swift/middleware.html#staticweb
Without this Swift sends a HTML response even if the request was done using a
X-Auth-Token. This might result in a faulty handling of the response on the client
side; for example, "swift stat containername" would report an empty, private container,
while the container might actually be public readable with data stored in it.
We are about to submit a patch that fix the issue and backport it until stable branches (Kilo, Juno and Icehouse).
We should consider the middleware ordering as a security issue in openstack/ puppet- swift.
Draft Impact Description:
When adding ::swift: :proxy: :staticweb class, 'staticweb' middleware section will be added before Keystone options but the staticweb middleware needs to be put after authentication middlewares to docs.openstack. org/developer/ swift/middlewar e.html# staticweb
ensure correct functionality as documented in
http://
Without this Swift sends a HTML response even if the request was done using a
X-Auth-Token. This might result in a faulty handling of the response on the client
side; for example, "swift stat containername" would report an empty, private container,
while the container might actually be public readable with data stored in it.
We are about to submit a patch that fix the issue and backport it until stable branches (Kilo, Juno and Icehouse).