OpenStack Object Storage (swift)

Object expiration in Swift header 'X-Remove-Delete-At'

Bug #1988310 reported by Andrey Groshrev
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Object Storage (swift)
New
Undecided
Unassigned
OpenStack Security Advisory
Won't Fix
Undecided
Unassigned

Bug Description

The documentation describes the ability to delete the "x-delete-at" header using a post request and the "X-Remove-Delete-At:" header.

But there is not a line in the code responsible for this behavior.
Moreover, any custom header erases the "x-delete-at". There is a suspicion that it overwrites everything by default. It's not safe.

-----------------------------------
Release: 2.30.1.dev6 on 2018-08-01 15:17:42
SHA: 933d3938aca74d3d6395e4b041c88a788a22c2bb
Source: https://opendev.org/openstack/swift/src/doc/source/api/object-expiration.rst
URL: https://docs.openstack.org/swift/latest/api/object-expiration.html

Tags: security
Revision history for this message
Andrey Groshrev (greenx) wrote :
Revision history for this message
Andrey Groshrev (greenx) wrote :
Revision history for this message
Jeremy Stanley (fungi) wrote :

Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.

description: updated
Changed in ossa:
status: New → Incomplete
Revision history for this message
clayg (clay-gerrard) wrote :

I think this is a doc bug, not a security issue.

The last paragraph in https://docs.openstack.org/swift/latest/development_middleware.html#user-metadata describes the expected behavior with object user metadata - any new PUT/POST always replaces all metadata.

the x-remove-meta header behavior is mostly for container metadata (like temp-url keys), i'm not really sure why these old docs about the object expirer calls it out https://review.opendev.org/c/openstack/swift/+/588093 - it's not really necessary. So maybe just a doc bug?

Revision history for this message
Jeremy Stanley (fungi) wrote :

If there's consensus this is best solved up updating swift's documentation, and in absence of any clear and practical exploit scenario of sufficient risk to warrant continued discussion in private, I'll be happy to switch this report to public.

Revision history for this message
Jeremy Stanley (fungi) wrote :

Since nobody has objected to Clay's assertion 6 weeks ago, I'm switching this bug to public and treating as class D per our report taxonomy (incomplete/misleading documentation): https://security.openstack.org/vmt-process.html#report-taxonomy

description: updated
information type: Private Security → Public
Changed in ossa:
status: Incomplete → Won't Fix
tags: added: security
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.