unauthorized container GET returns 404 when account not found
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Object Storage (swift) |
Fix Released
|
Undecided
|
Alistair Coles | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
A GET on a swift container will return 404 if the account is not found (e.g. not created) regardless of request authorization. If the request is unauthorized or unauthenticated then the response should be 403 or 401.
Steps to reproduce the behavior are shown below (same has been observed with keystoneauth). The root cause is that the proxy container controller returns 404 as soon as finding no account, rather than delegating response to the auth middleware via a call to swift.authorize.
I have marked this as a security vulnerability because although no user data is exposed, it does reveal user's (non)activity, or that a particular project ID is not in use. I'm not sure if others would see that as a 'vulnerability' but I'm erring on side of caution and I will defer to the security team to make that call.
Proposed fix attached to this bug report. Note that a functional test is not appropriate because you need to be sure that the account does not exist to usefully test, and we can't be sure of that on a cluster under test.
Example:
A GET (or HEAD) on a container in a non-existent account will return 404.
swift@saio-
91d04ce Merge "Make ThreadPools deallocatable."
swift@saio-
<snip>
swift@saio-
<snip>
# using tempauth...
swift@saio-
{"formpost": {}, "container_quotas": {}, "tempauth": {"account_acls": true}, "tempurl": {"methods": ["GET", "HEAD", "PUT", "POST", "DELETE"]}, "ratelimit": {"container_
# get tokens for two accounts...
swift@saio-
HTTP/1.1 200 OK
X-Storage-Url: http://
X-Auth-Token: AUTH_tkf1fef50f
Content-Type: text/html; charset=UTF-8
X-Storage-Token: AUTH_tkf1fef50f
Content-Length: 0
X-Trans-Id: txb488f6de9b514
Date: Fri, 23 Jan 2015 15:35:54 GMT
swift@saio-
HTTP/1.1 200 OK
X-Storage-Url: http://
X-Auth-Token: AUTH_tk24af2729
Content-Type: text/html; charset=UTF-8
X-Storage-Token: AUTH_tk24af2729
Content-Length: 0
X-Trans-Id: txdb47515622e64
Date: Fri, 23 Jan 2015 15:36:01 GMT
# 404 when test:tester token tries to GET a container in non-existent account for test2
swift@saio-
Content-Length: 70
Content-Type: text/html; charset=UTF-8
X-Trans-Id: txcb1de75956b64
Date: Fri, 23 Jan 2015 15:36:41 GMT
<html><h1>Not Found</h1><p>The resource could not be found.<
# 404 when test2:tester2 token tries to GET a container in non-existent account for test2
swift@saio-
HTTP/1.1 404 Not Found
Content-Length: 70
Content-Type: text/html; charset=UTF-8
X-Trans-Id: txb5f34f1dd1a34
Date: Fri, 23 Jan 2015 15:37:15 GMT
<html><h1>Not Found</h1><p>The resource could not be found.<
# test2:tester2 creates a container which causes account to autcreated
swift@saio-
HTTP/1.1 201 Created
Content-Length: 0
Content-Type: text/html; charset=UTF-8
X-Trans-Id: txcb17dbe687c64
Date: Fri, 23 Jan 2015 15:37:33 GMT
# Now 403 when test:tester token tries to GET a container in account for test2
swift@saio-
HTTP/1.1 403 Forbidden
Content-Length: 73
Content-Type: text/html; charset=UTF-8
X-Trans-Id: tx3b706920f7d74
Date: Fri, 23 Jan 2015 15:37:37 GMT
<html><
# Still 404 when test2:tester2 token tries to GET a container in non-existent account for test2
swift@saio-
HTTP/1.1 404 Not Found
Content-Length: 70
Content-Type: text/html; charset=UTF-8
X-Trans-Id: tx5e61c4ea46d34
Date: Fri, 23 Jan 2015 15:38:08 GMT
<html><h1>Not Found</h1><p>The resource could not be found.</p></html>
Changed in ossa: | |
status: | New → Incomplete |
Changed in ossa: | |
status: | Incomplete → Won't Fix |
information type: | Private Security → Public |
Changed in swift: | |
milestone: | none → 2.3.0-rc1 |
status: | Fix Committed → Fix Released |
Changed in swift: | |
milestone: | 2.3.0-rc1 → 2.3.0 |
The attached script will illustrate the behavior and verify the fix (assumes tempauth).