OpenStack Object Storage (swift)

Using a carriage return / line feed in an object name with a tempurl results in invalid http

Bug #1306250 reported by gholt on 2014-04-10

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Object Storage (swift)	Fix Released	Undecided	Unassigned	OpenStack Object Storage (swift) 2.0.0

Bug Description

Using a carriage return / line feed in an object name with a tempurl results in invalid http... For example:

    HTTP/1.1 200 OK
    Content-Length: 13
    Content-Disposition: attachment; filename="object
    4.txt"
    Accept-Ranges: bytes
    Last-Modified: Thu, 10 Apr 2014 15:28:18 GMT
    Etag: 1fa01959f1368b171485a6a04eedf24a
    X-Timestamp: 1397143697.50723
    Content-Type: text/plain
    X-Trans-Id: tx008aa403f43543be90118-0053470310iad3
    Date: Thu, 10 Apr 2014 20:46:08 GMT

Testing Four

Revision history for this message

Openstack Gerrit (openstack-gerrit) wrote on 2014-05-04: Fix merged to swift (master)

Reviewed: https://review.openstack.org/86691
Committed: https://git.openstack.org/cgit/openstack/swift/commit/?id=f469d4214f0d60a02a2f03edf512ad22e17432d7
Submitter: Jenkins
Branch: master

commit f469d4214f0d60a02a2f03edf512ad22e17432d7
Author: gholt <email address hidden>
Date: Tue Apr 22 15:00:09 2014 +0000

TempURL: Fixed bug with \r or \n in disposition.

    If an object had a \r or \n in its name, it would end up creating an
    invalid HTTP Content-Disposition header. Reviewer consensus was to use
    URL encoding.

Fixes bug 1306250

Change-Id: Ibccaaed5152b4d09d6aee4966a1982cc0a0da07d

Changed in swift:
status:	New → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-05-15: Fix proposed to swift (feature/ec)

Fix proposed to branch: feature/ec
Review: https://review.openstack.org/93823

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-05-16: Fix merged to swift (feature/ec)

Download full text (9.7 KiB)

Reviewed: https://review.openstack.org/93823
Committed: https://git.openstack.org/cgit/openstack/swift/commit/?id=aa8d5518d2080b3811cc74b9b9fcca0368fc7299
Submitter: Jenkins
Branch: feature/ec

commit 4cd3478b4b996108f5a581ef09add348e6246596
Author: Christian Berendt <email address hidden>
Date: Sun May 11 14:44:47 2014 +0200

debug level logs should not be translated

    According to the OpenStack translation policy available at
    https://wiki.openstack.org/wiki/LoggingStandards debug messages
    should not be translated. Like mentioned in several changes in
    Nova by garyk this is to help prioritize log translation.

Change-Id: I59486b1110f08510d83a4aec2a1666805c59d1cd
Closes-Bug: #1318333

commit b4c5a136642bb87816bfbbad81b79efd4551a05e
Author: Brian Cline <email address hidden>
Date: Sat May 10 05:15:12 2014 -0500

Uses None instead of mutables for function param defaults

    As seen on #1174809, changes use of mutable types as default
    arguments and defaults them within the method. Otherwise, those
    defaults can be unexpectedly persisted with the function between
    invocations and erupt into mass hysteria on the streets.

    There was indeed a test (TestSimpleClient.test_get_with_retries)
    that was erroneously relying on this behavior. Since previous tests
    had populated their own instantiations with a token, this test only
    passed because the modified headers dict from previous tests was
    being overridden. As expected, with the mutable defaults fix in
    SimpleClient, this test begain to fail since it never specified any
    token, yet it has always passed anyway. This change also now provides
    the expected token.

Change-Id: If95f11d259008517dab511e88acfe9731e5a99b5
Related-Bug: #1174809

commit 1dfe5186542486342581ab66cd5364b6b7d04e93
Author: Morgan Fainberg <email address hidden>
Date: Wed May 7 12:15:43 2014 -0700

Update mailmap for Morgan Fainberg

Change-Id: Ia46c28c86ef3f440556b1b027d2bf0a7f3e721c5

commit bcdafa3831111f334caadd30505f051c81abcb1f
Author: Eamonn O'Toole <email address hidden>
Date: Tue Apr 29 15:04:42 2014 +0100

Sleep between object ZBF process forks

    We've found that, on fresh systems where the ZBF run completes
    almost instantaneously, the Swift logs (syslog by default) get
    filled-up with object ZBF scan start and completion messages.
    This patch calls self._sleep() between ZBF scan runs to cut-down
    on these messages and the related unnecessary ZBF scan runs
    without impacting the integrity of the object auditing process.

Change-Id: I057c5ca235467cfa115a7a3d44e21c350900059a

commit 067b41e85479b29a7018e2f9ce7afd330bf3fdef
Author: Peter Portante <email address hidden>
Date: Sat Jan 11 00:18:04 2014 -0500

In-process swift server for functional tests

Provide a way to run the functional tests using a p/a/c/o server setup
in the same process running the nosetests infrastructure.

    By setting the environment variable, SWIFT_TEST_IN_PROCESS, to a true
    value, the functional test framework will construct a set of proxy,
    account, container...

Reviewed:  https://review.openstack.org/93823
Committed: https://git.openstack.org/cgit/openstack/swift/commit/?id=aa8d5518d2080b3811cc74b9b9fcca0368fc7299
Submitter: Jenkins
Branch:    feature/ec

commit 4cd3478b4b996108f5a581ef09add348e6246596
Author: Christian Berendt <berendt@b1-systems.de>
Date:   Sun May 11 14:44:47 2014 +0200

debug level logs should not be translated
    
    According to the OpenStack translation policy available at
    https://wiki.openstack.org/wiki/LoggingStandards debug messages
    should not be translated. Like mentioned in several changes in
    Nova by garyk this is to help prioritize log translation.
    
    Change-Id: I59486b1110f08510d83a4aec2a1666805c59d1cd
    Closes-Bug: #1318333

commit b4c5a136642bb87816bfbbad81b79efd4551a05e
Author: Brian Cline <bcline@softlayer.com>
Date:   Sat May 10 05:15:12 2014 -0500

Uses None instead of mutables for function param defaults
    
    As seen on #1174809, changes use of mutable types as default
    arguments and defaults them within the method. Otherwise, those
    defaults can be unexpectedly persisted with the function between
    invocations and erupt into mass hysteria on the streets.
    
    There was indeed a test (TestSimpleClient.test_get_with_retries)
    that was erroneously relying on this behavior. Since previous tests
    had populated their own instantiations with a token, this test only
    passed because the modified headers dict from previous tests was
    being overridden. As expected, with the mutable defaults fix in
    SimpleClient, this test begain to fail since it never specified any
    token, yet it has always passed anyway. This change also now provides
    the expected token.
    
    Change-Id: If95f11d259008517dab511e88acfe9731e5a99b5
    Related-Bug: #1174809

commit 1dfe5186542486342581ab66cd5364b6b7d04e93
Author: Morgan Fainberg <morgan.fainberg@gmail.com>
Date:   Wed May 7 12:15:43 2014 -0700

Update mailmap for Morgan Fainberg
    
    Change-Id: Ia46c28c86ef3f440556b1b027d2bf0a7f3e721c5

commit bcdafa3831111f334caadd30505f051c81abcb1f
Author: Eamonn O'Toole <eamonn.otoole@hp.com>
Date:   Tue Apr 29 15:04:42 2014 +0100

Sleep between object ZBF process forks
    
    We've found that, on fresh systems where the ZBF run completes
    almost instantaneously, the Swift logs (syslog by default) get
    filled-up with object ZBF scan start and completion messages.
    This patch calls self._sleep() between ZBF scan runs to cut-down
    on these messages and the related unnecessary ZBF scan runs
    without impacting the integrity of the object auditing process.
    
    Change-Id: I057c5ca235467cfa115a7a3d44e21c350900059a

commit 067b41e85479b29a7018e2f9ce7afd330bf3fdef
Author: Peter Portante <peter.portante@redhat.com>
Date:   Sat Jan 11 00:18:04 2014 -0500

In-process swift server for functional tests
    
    Provide a way to run the functional tests using a p/a/c/o server setup
    in the same process running the nosetests infrastructure.
    
    By setting the environment variable, SWIFT_TEST_IN_PROCESS, to a true
    value, the functional test framework will construct a set of proxy,
    account, container and object servers running in the same process that
    is running the functional tests, ignoring any external swift
    service. This in-process swift environment is akin to the one used in
    test/unit/proxy/test_server.py.
    
    Setting that same environment variable to a false value will ensure the
    in-process servers are not used.
    
    When the above environment variable is not present, and the
    /etc/swift/test.conf is _not_ present (or present but empty) on the
    system where the functional tests are executing, the in-process
    environment will be used. Previously, if no /etc/swift/test.conf file
    was found, the tests would just be marked as skipped.
    
    Using this in-process method allows one to gather code coverage using
    the functional tests to exercise code paths, in addition to the unit
    tests, or more easily debug existing functional tests, or even write new
    ones.
    
    There are two constraints that are changed for use with the in-process
    functional tests: max_file_size is lowered to roughly 8 MB, and
    client_timeout is set to 4s.
    
    Change-Id: I5acd65e3068868d6509feae1d1954237d37fad45

commit 032f0bfc7c6754afbad1bf8de7a4a6fde8d5cee0
Author: Alex Gaynor <alex.gaynor@gmail.com>
Date:   Fri Apr 25 19:54:49 2014 -0700

Fix several typos in the codebase.
    
    These were found using https://github.com/intgr/topy
    
    Change-Id: I0dc7b76c44b8b17b1dcd79184dad1516fb11173c

commit 3af5216543a8a6e769822c4175cf840e572b628c
Author: Luis de Bethencourt <luis@debethencourt.com>
Date:   Thu Apr 24 11:02:54 2014 -0400

Sort the log file dates in reverse order
    
    We want to show log files in descending order.
    
    Change-Id: I6f79d9f5a73afa43efec36c3ca99afcde3fe7813
    Closes-Bug: #1311405

commit 1fb0709d2f581c5cbe215fb95ff2712ccd5cd622
Author: anc <alistair.coles@hp.com>
Date:   Fri Apr 25 13:42:30 2014 +0100

Unit test for common.utils.cache_from_env
    
    The behavior of common.utils.cache_from_env
    was changed by https://review.openstack.org/#/c/89488/.
    This patch adds unit test for that function.
    
    Change-Id: If757e12990c971325f7705731ef529a7e2a9eee7

commit 5b8fad754cd2b76a1180f7f498e0045cc3ee87d9
Author: Chuck Thier <cthier@gmail.com>
Date:   Thu Apr 24 16:50:03 2014 +0000

Fix coverage report for newer versions of coverage
    
    With newer versions of coverage (at least what is installed with ubuntu
    trusty), code coverage isn't working.  Making this change allows the
    coverage library to find the swift package.
    
    Change-Id: I3b3792622904a86096064c0e03c8095636f83973

commit aa6bd2c0abedfd791929fad2f24795b4069e7035
Author: YummyBian <yummy.bian@gmail.com>
Date:   Tue Apr 22 23:52:28 2014 +0800

Fix redundant add operation of set in ring
    
    You don't need to add dev_id into seen_ids again when it has already existed in seen_ids.
    
    Fixes Bug #1311190
    
    Change-Id: If0766de8dc5e2a59a648cae39c789c91131805d2

commit f469d4214f0d60a02a2f03edf512ad22e17432d7
Author: gholt <z-launchpad@brim.net>
Date:   Tue Apr 22 15:00:09 2014 +0000

TempURL: Fixed bug with \r or \n in disposition.
    
    If an object had a \r or \n in its name, it would end up creating an
    invalid HTTP Content-Disposition header. Reviewer consensus was to use
    URL encoding.
    
    Fixes bug 1306250
    
    Change-Id: Ibccaaed5152b4d09d6aee4966a1982cc0a0da07d

commit 20e46bc14796a0932405ce6ac341890bfb4352a4
Author: David Goetz <dpgoetz@gmail.com>
Date:   Mon Apr 21 15:20:12 2014 -0700

setting request_node_count doesn't work
    
    Change-Id: Ia161b872cf5ffa43c10334b42cc36d679c3adf56

commit 07841b42828dc133ba258cf7c7f09d6f8906a96f
Author: Takashi Kajinami <kajinamit@nttdata.co.jp>
Date:   Fri Apr 18 11:43:44 2014 +0900

Fix error log of proxy-server when cache middleware is disabled
    
    Change-Id: I0b67721cbb692fb8d2a5dd8b2c4f5383512b7b45
    Closes-Bug: #1306591

commit 968ec9806fb6ee12b4cd5ef016363bd1850dab95
Author: Paul Luse <paul.e.luse@intel.com>
Date:   Sat Apr 12 16:39:29 2014 -0700

Bring Object Auditor Coverage To 99%
    
    Previously at 87% with 20 missing 11 partial, this additional
    test code brings it to 99% 0 missing and 3 partial.  Noticed
    some easy places to add coverage while working on the
    Storage Policy branch.
    
    Change-Id: I49b5b4db3341416fce1ef42811732c16d3265522

commit 51f6035f3b8be100fc79605db31676c8b75631e2
Author: Christian Schwede <christian.schwede@enovance.com>
Date:   Thu Apr 17 16:45:12 2014 +0000

Fix test-requirements.txt
    
    mock >= 1.0 changed the behavior for iterable sideeffects. Any
    exceptions in an iterable side_effect will now be raised instead of
    returned.
    
    With mock < 1.0 tests are failing, because test for the
    internal client (TestSimpleClient.test_get_with_retries) use an
    iterable sideeffect that raise an URLError on the first request
    and pass on the second request.
    
    Change-Id: I568b68c33ff599d7a4f590e2a0eb8caeee4b4d4e

commit 4dd2670fb03b491a106e399791ef21783721ebc9
Author: Peter Portante <peter.portante@redhat.com>
Date:   Thu Apr 10 15:37:15 2014 -0400

Load constraints from cluster info dictionary
    
    Use constrainst from the new "swift-constraints" section of test.conf,
    fall back to those found in the response to the /info API call,
    ultimately falling back to the constraints module's effective
    constraints.
    
    Change-Id: Iea01c9c4b5148faa10004a240df411cbe7336a6a

commit 31dac18625427b03cd808a123cc5b26c13dcaa92
Author: Samuel Merritt <sam@swiftstack.com>
Date:   Tue Apr 8 11:27:14 2014 -0700

Check swift.conf MD5 with recon
    
    I've seen several folks recently have problems with their Swift
    clusters because they had different hash prefixes on different
    nodes. Let's help them out by having recon check that.
    
    Note that MD5-equality is stronger than what we need (which is
    ConfigParser-equality for a particular set of keys), but this way we
    don't expose the secret hash prefix and suffix across the internal
    network, just the MD5 checksum of the file containing them.
    
    Change-Id: I3af984ee45947345891b3c596a88e3464f178cc7

commit 1f0058e61e9094cdf9484e982b7f662660bed87e
Author: Chuck Thier <cthier@gmail.com>
Date:   Thu Apr 10 18:59:01 2014 +0000

Fix logging issue when services stop on py26
    
    On older versions of python 2.6, exceptions would be spewed to the error
    log whenever a service would stop.  This gets magnified by the
    container-updater which seems to do it with every pass.  This catches
    and squelches the error.
    
    Change-Id: I5944c1620c62cf0868b70dae7d7e2acd56bf8211
    Closes-Bug: #1306027

Thierry Carrez (ttx) on 2014-06-21

Changed in swift:
status:	Fix Committed → Fix Released
milestone:	none → 2.0.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.