Backups - GET backup - does not restrict access to the owner of the backup
Bug #1188822 reported by
David Fecker
This bug affects 2 people
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack DBaaS (Trove) |
Fix Released
|
Critical
|
Nikhil Manchanda | ||
Bug Description
Backups - GET backup - does not restrict access to the owner of the backup
Any user can "get" a backup from another user if they know the id of the backup
| Changed in reddwarf: | |
| status: | New → Confirmed |
| importance: | Undecided → Critical |
| Changed in reddwarf: | |
| assignee: | nobody → Nikhil Manchanda (slicknik) |
Revision history for this message
| Nikhil Manchanda (slicknik) wrote | #1 |
Revision history for this message
| David Fecker (david-fecker) wrote | #2 |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix proposed to reddwarf (master) | #3 |
| Changed in reddwarf: | |
| status: | Confirmed → In Progress |
| Changed in reddwarf: | |
| milestone: | none → havana-2 |
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix merged to trove (master) | #4 |
| Changed in trove: | |
| status: | In Progress → Fix Committed |
| Changed in trove: | |
| status: | Fix Committed → Fix Released |
| Changed in trove: | |
| milestone: | havana-2 → 2013.2 |
To post a comment you must log in.
Just reviewed the code and looks like this is an issue. We're not checking that the tenant who owns the backup is the same as the tenant who is trying to GET the backup by ID.
We need to fix this.