OpenStack Object Storage (swift)

CORS requests against encrypted objects don't expose x-object-meta-* headers

Bug #1868045 reported by Tim Burke
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Object Storage (swift)
Fix Released
Undecided
Unassigned

Bug Description

This is because access-control-allow-headers is currently calculated down in the proxy-server app -- https://github.com/openstack/swift/blob/2.24.0/swift/proxy/controllers/base.py#L252-L277 -- but encryption has shifted all of those headers into a different x-object-transient-sysmeta-crypto-meta-* namespace and the decrypter doesn't update the CORS header when it shifts them back.

Note that this leaks information about whether encryption is turned on or not in a cluster. I don't think this is a security concern per se, but certainly one of the design goals of encryption was to have it be completely transparent to the client.

I see two ways to fix it:

Easy lift - have the decrypter update the exposed headers after decrypting user meta, as in https://review.opendev.org/#/c/712237/

Heavy lift - pull CORS handling out to middleware, as in https://review.opendev.org/#/c/528106/

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to swift (master)

Reviewed: https://review.opendev.org/c/openstack/swift/+/712237
Committed: https://opendev.org/openstack/swift/commit/cd693e519e71dfc95a0de389293a2df2523a7d70
Submitter: "Zuul (22348)"
Branch: master

commit cd693e519e71dfc95a0de389293a2df2523a7d70
Author: Tim Burke <email address hidden>
Date: Mon Mar 9 13:45:58 2020 -0700

    encryption: Expose decrypted metadata via CORS

    Normally, the proxy object controller would be adding these, but when
    encrypted, there won't be any headers in the x-object-meta-* namespace.

    Closes-Bug: #1868045
    Change-Id: I8e708a60ee63f679056300fc9d68227e46d605e8

Changed in swift:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/swift 2.31.1

This issue was fixed in the openstack/swift 2.31.1 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.