Controller method accessible via HTTP verb
Bug #1592250 reported by
Kota Tsuyuzaki
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Swift3 |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Current swift3 middleware can allow to access the controller instance method via HTTP verb and it may have a risk to be attacked like brute force.
likely:
from boto.s3.connection import S3Connection
conn = S3Connection(
# expected 405 Method Not Allowed but this results in 500 InternalError
conn.
Probably all instance method except public verb like ones don't work well and nothing leaked but it will absolutely 500 InternalError without any information. This is worse. Thus we should strict the method anyway.
To post a comment you must log in.
Reviewed: https:/ /review. openstack. org/329265 /git.openstack. org/cgit/ openstack/ swift3/ commit/ ?id=4336ff4f991 08a302b6cefd00b 14c38c2855fe2a
Committed: https:/
Submitter: Jenkins
Branch: master
commit 4336ff4f99108a3 02b6cefd00b14c3 8c2855fe2a
Author: Kota Tsuyuzaki <email address hidden>
Date: Mon Jun 13 21:49:48 2016 -0700
Deny all access to controller instance method
Current swift3 middleware can allow to access the controller instance
method via HTTP verb and it may have a risk to be attacked like brute
force.
likely: <snip>) make_request( '_delete_ segments_ bucket' , 'bucket')
from boto.s3.connection import S3Connection
conn = S3Connection(
# expected 405 Method Not Allowed but this results in 500
# InternalError
conn.
Probably all instance method except public verb like ones don't work
well and nothing leaked but it will absolutely 500 InternalError without
any information. This is worse. Thus we should strict the method anyway.
This patch fixes it to set swift.common. utils.public decorator for all
public methods and then middleware will deny the accesses for non-public
methods.
Closes-Bug: #1592250
Change-Id: Ia5579011701eaf f2bca555efe950b 0c11a3ff5b9