staticweb reveals container existence when web-listings is disabled
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Object Storage (swift) |
Fix Released
|
Undecided
|
Alistair Coles | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
When a container has `X-Container-
This is related to but distinct from bug https:/
Here, the only information revealed is the existence of the container.
To reproduce (with tempauth):
# first, setup normal auth'd static web listing on c1...
swift@u134:~/swift$ swift post -r '.r:*,.rlistings' c1
swift@u134:~/swift$ swift post -m 'web-listings: yes' c1
swift@u134:~/swift$ wget localhost:
--2015-10-14 16:12:09-- http://
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)
HTTP request sent, awaiting response... 200 OK
<snip>
# now disable web listings, request is still auth'd by the rlistings in ACL...
swift@u134:~/swift$ swift post -m 'web-listings: no' c1
swift@u134:~/swift$ wget localhost:
--2015-10-14 16:12:24-- http://
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)
HTTP request sent, awaiting response... 404 Not Found
2015-10-14 16:12:24 ERROR 404: Not Found.
# now remove the ACL form the container...
swift@u134:~/swift$ swift post -r '' c1
swift@u134:~/swift$ wget localhost:
--2015-10-14 16:12:43-- http://
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)
HTTP request sent, awaiting response... 404 Not Found
2015-10-14 16:12:43 ERROR 404: Not Found.
# ...ah! staticweb just told us this container exists :(
# whereas this one does not...
swift@u134:~/swift$ wget localhost:
--2015-10-14 16:12:59-- http://
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)
HTTP request sent, awaiting response... 401 Unauthorized
Username/Password Authentication Failed.
I think it's not a security issues because of the used ACL?
"swift post -r '.r:*,.rlistings' c1" enables reading and listing of the container, so revealing the existence of the container looks fine to me. However, the 404 looks wrong to me in this case - the container listing should be returned (as text/plain, json, or xml).