access processor allows unsafe query param keys
Bug #737175 reported by
clayg
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Object Storage (swift) |
Fix Released
|
High
|
John Dickinson |
Bug Description
stats.access_
When a query param collides with an pertinent data key (i.e. method, code, year, etc.) it will over-write the matched value in the line_data dict (d) with a literal 1 circa stats.access_
One solution may be to whitelist the query params we want to count, so we don't accidentally break the expected format of the returned line_data structure.
Related branches
lp:~notmyname/swift/fix_query_parsing
- Swift Core security contacts: Pending requested
-
Diff: 69 lines (+28/-2)3 files modifiedswift/stats/access_processor.py (+4/-1)
test/unit/stats/test_access_processor.py (+24/-0)
test/unit/stats/test_log_processor.py (+0/-1)
Changed in swift: | |
assignee: | nobody → John Dickinson (notmyname) |
Changed in swift: | |
status: | New → Fix Committed |
Changed in swift: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
This description is a little off. The query parameters won't collide since the returned dictionary is built after the query parameters are handled.
Nonetheless, a whitelist of valid parameters is a good idea to prevent some future rearrangement of this code from causing this error to surface.