Controller method accessible via HTTP verb
Bug #1592250 reported by
Kota Tsuyuzaki
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Swift3 |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
Current swift3 middleware can allow to access the controller instance method via HTTP verb and it may have a risk to be attacked like brute force.
likely:
from boto.s3.connection import S3Connection
conn = S3Connection(
# expected 405 Method Not Allowed but this results in 500 InternalError
conn.
Probably all instance method except public verb like ones don't work well and nothing leaked but it will absolutely 500 InternalError without any information. This is worse. Thus we should strict the method anyway.
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix merged to swift3 (master) | #1 |
| Changed in swift3: | |
| status: | New → Fix Released |
To post a comment you must log in.
Reviewed: https:/
Committed: https:/
Submitter: Jenkins
Branch: master
commit 4336ff4f99108a3
Author: Kota Tsuyuzaki <email address hidden>
Date: Mon Jun 13 21:49:48 2016 -0700
Deny all access to controller instance method
Current swift3 middleware can allow to access the controller instance
method via HTTP verb and it may have a risk to be attacked like brute
force.
likely:
from boto.s3.connection import S3Connection
conn = S3Connection(
# expected 405 Method Not Allowed but this results in 500
# InternalError
conn.
Probably all instance method except public verb like ones don't work
well and nothing leaked but it will absolutely 500 InternalError without
any information. This is worse. Thus we should strict the method anyway.
This patch fixes it to set swift.common.
public methods and then middleware will deny the accesses for non-public
methods.
Closes-Bug: #1592250
Change-Id: Ia5579011701eaf