access processor allows unsafe query param keys

Bug #737175 reported by clayg on 2011-03-17
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Object Storage (swift)
High
John Dickinson

Bug Description

stats.access_processor.AccessLogProcessor.log_line_parser counts up the query params on a request as it goes along in order to track the number of requests that used format, path, delimiter, etc.

When a query param collides with an pertinent data key (i.e. method, code, year, etc.) it will over-write the matched value in the line_data dict (d) with a literal 1 circa stats.access_processor.py:98

One solution may be to whitelist the query params we want to count, so we don't accidentally break the expected format of the returned line_data structure.

Related branches

Changed in swift:
assignee: nobody → John Dickinson (notmyname)
John Dickinson (notmyname) wrote :

This description is a little off. The query parameters won't collide since the returned dictionary is built after the query parameters are handled.

Nonetheless, a whitelist of valid parameters is a good idea to prevent some future rearrangement of this code from causing this error to surface.

gholt (gholt) on 2011-03-18
Changed in swift:
status: New → Fix Committed
Thierry Carrez (ttx) on 2011-04-15
Changed in swift:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers