Comment 41 for bug 1489749

Reviewed: https://review.openstack.org/227204
Committed: https://git.openstack.org/cgit/openstack/swift/commit/?id=a7af802497f3b86d33cbee852500df456c316685
Submitter: Jenkins
Branch: master

commit a7af802497f3b86d33cbee852500df456c316685
Author: Christian Schwede <email address hidden>
Date: Sat Aug 29 16:03:07 2015 +0000

    Do not use pre-authenticated requests in staticweb

    staticweb middleware uses make_pre_authed_env, this makes it possible to
    anonymously list containers without any read acl set if the metadata
    "web-listings: true" is set on a container. Using make_env enforces correct
    read_acl validation; however it is now also required to add ".rlistings" to the
    read acl.

    Also, if the staticweb middleware is put in the proxy pipeline before an
    authentication middleware, it broke authenticated GET and HEAD requests. This
    has some side effects in clients, because a html response is sent that might be
    parsed wrongly by the client. In case of python-swiftclient this was shown as an
    empty container without any ACL or web-listings:true meta set. This might lead
    to information leaks, because a user trusts the output from python-swiftclient
    and assumes an empty, private container even if the container contains public
    readable data. staticweb now checks if "swift.authorize" is included in the
    environ and skips itself if not.

    Closes-Bug: 1489749
    Change-Id: Icf159d7e567ac5481e710c5910db686bdcba6336
    Depends-On: Ie24bb995023c377e49796910ad80a256b00daa03