swift does not return when max object size is exceeded
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Object Storage (swift) |
Won't Fix
|
Undecided
|
Unassigned | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
The swift max object size is ~5GB.
If a user attempts to upload an object of a size > 5GB from stdin all input data is read by the server.
In this example 7GB was uploaded.
$ cat dd.7000 | curl -i -X PUT -T - -H 'x-auth-token: XXX' https:/
% Total % Received % Xferd Average Speed Time Time Time Current
100 7003M 0 108 0 7003M 0 37.5M --:--:-- 0:03:06 --:--:-- 35.8M
Instead the server should return when the max object size is hit.
I haven't looked in detail at the swift code, but in the case of glance (https:/
it seems to be down to this section of wsgi code in /usr/lib/
420 finally:
421 if hasattr(result, 'close'):
422 result.close()
423 if (self.environ[
424 self.environ[
425 < self.environ[
426 ## Read and discard body if there was no pending 100-continue
427 if not self.environ[
428 # NOTE: MINIMUM_CHUNK_SIZE is used here for purpose different than chunking.
429 # We use it only cause it's at hand and has reasonable value in terms of
430 # emptying the buffer.
431 start = time.time()
432 while self.environ[
433 pass
434 finish = time.time()
Marking as security related in case people consider it DOS risk. Feel free to mark public if appropriate.
information type: | Private Security → Public |
Changed in ossa: | |
status: | Incomplete → Won't Fix |
Changed in swift: | |
status: | New → Won't Fix |
I performed an isolated test and it does appear to read all input data from the request as indicated. (Even for 404 not found).
I would suggest that we raise this bug with <email address hidden> or maybe <email address hidden> as it really needs to be handled and fixed by the eventlet people. We can track the progress of the fix accordingly.
Sound good?