© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
After further discussion (in IRC), this will be treated as any security issue and there will not be a revert or patch for kilo (swift 2.3.0) before the release.
This issue has a few interesting points:
1) tempurls which allow PUT also allow HEAD.
2) tempurls follow manifests to return the entire object, regardless of where the segments are or permissions on their container
3) because of 1 and 2, a user with a tempurl can create a DLO and then probe the rest of the account for other objects. This is true no matter the key used to generate the tempurl
4) container keys are meant to be shared with subusers so that the subuser can pass out container-scoped tempurls. The subuser would have an indentity (ie token) to access the container.
5) Because of 1, 2, and 4 subusers can probe for objects in the account. ie the tempurl crosses the container boundary.
The solution has a few points:
1) Prevent tempurl PUTs from writing DLOs (by returning an error if x-object-manifest header is on the request).
2) The tempurl should tract the scope of the signed url (ie account and container) so that it cannot cross boundaries. In other words, the subrequests generated eg to fetch DLO segments should be authorized according to the original tempurl (not with a blanket "allow" authorize() callback).