non-ascii s3api usernames with invalid creds cause 500s
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Object Storage (swift) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
On a vsaio today you can have a non-ascii user setup and working with swift:
user_test☃_tester☃ = testing☃ .admin
You can also configure your aws-cli client and that works too:
aws_access_key_id = test☃:tester☃
aws_secret_
But if you *misconfigure* you aws-cli client
aws_access_key_id = test☃:tester☃
aws_secret_
... you'll get a traceback:
Mar 22 13:53:36 saio proxy-server: Expected a WSGI string; got '/v1/test☃
Traceback (most recent call last):
File "/vagrant/
resp = self.handle_
File "/vagrant/
res = handler(req)
File "/vagrant/
resp = req.get_
File "/vagrant/
return self._get_
File "/vagrant/
sw_resp = sw_req.
File "/vagrant/
status, headers, app_iter = self.call_
File "/vagrant/
app_iter = application(
File "/vagrant/
return self.app(env, start_response)
File "/vagrant/
return self.app(env, start_response)
File "/vagrant/
return self.app(env, start_response)
File "/vagrant/
return self.app(env, start_response)
File "/vagrant/
return self.app(env, start_response)
File "/vagrant/
return self.app(env, start_response)
File "/vagrant/
return self.app(env, start_response)
File "/vagrant/
return self.account_
File "/vagrant/
return account_
File "/vagrant/
app_resp = self._app_
File "/vagrant/
resp = reiterate(resp)
File "/vagrant/
chunk = next(iterator)
File "/vagrant/
metric_name = self.statsd_
File "/vagrant/
stat_type = self.get_
File "/vagrant/
swift_path = req.environ.
File "/vagrant/
return wsgi_quote(
File "/vagrant/
raise TypeError('Expected a WSGI string; got %r' % wsgi_str)
TypeError: Expected a WSGI string; got '/v1/test☃:tester☃' (txn: txa08f5cb938534
the issue is related to how tempauth and probably other middlewares handle fixing the invalid string that s3api puts into PATH_INFO, probably s3api shouldn't pollute PATH_INFO with invalid strings.
Changed in swift: | |
status: | New → In Progress |
Reviewed: https:/ /review. opendev. org/c/openstack /swift/ +/913723 /opendev. org/openstack/ swift/commit/ 8424b02290c75a7 e1eb2e36296b419 26f041249a
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit 8424b02290c75a7 e1eb2e36296b419 26f041249a
Author: Tim Burke <email address hidden>
Date: Tue Mar 19 15:36:26 2024 -0700
s3api: Fix handling of non-ascii access keys
We stuff the access key into the request path until we get back a authoritative account name from auth. But it needs to be a WSGI
more-
string when we do!
Closes-Bug: #2058748 2d17a27f01c63f4 0d1dd25991c
Change-Id: I34adb8141cc9e6