Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 833718 Details for
Bug 1039144
CVE-2013-6428 OpenStack Heat: ReST API doesn't respect tenant scoping
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
cve-2013-6428-stable-havana.patch
cve-2013-6428-stable-havana.patch (text/plain), 4.42 KB, created by
Kurt Seifried
on 2013-12-06 19:02:07 UTC
(
hide
)
Description:
cve-2013-6428-stable-havana.patch
Filename:
MIME Type:
Creator:
Kurt Seifried
Created:
2013-12-06 19:02:07 UTC
Size:
4.42 KB
patch
obsolete
>From f2cc3409ec3e0589c30df3927501915dc46be5a4 Mon Sep 17 00:00:00 2001 >From: Steven Hardy <shardy@redhat.com> >Date: Mon, 2 Dec 2013 23:59:19 +0000 >Subject: [PATCH] Deny API requests where context doesn't match path > >We shouldn't overwrite the context tenant_id (which comes from the >scope of the auth_token) with that from the path, instead raise a >HTTPForbidden exception if the path-provided tenant_id doesn't match >the context. > >Change-Id: Ib6fb9881103312f7492081a20178f12309f35d81 >Closes-Bug: #1256983 >--- > heat/api/openstack/v1/util.py | 5 +++-- > heat/tests/test_api_openstack_v1.py | 12 ++-------- > heat/tests/test_api_openstack_v1_util.py | 38 ++++++++++++++++++++++++++++++++ > 3 files changed, 43 insertions(+), 12 deletions(-) > create mode 100644 heat/tests/test_api_openstack_v1_util.py > >diff --git a/heat/api/openstack/v1/util.py b/heat/api/openstack/v1/util.py >index b6dcdc5..ad311a8 100644 >--- a/heat/api/openstack/v1/util.py >+++ b/heat/api/openstack/v1/util.py >@@ -21,12 +21,13 @@ from heat.common import identifier > > def tenant_local(handler): > ''' >- Decorator for a handler method that sets the correct tenant_id in the >+ Decorator for a handler method that checks the path matches the > request context. > ''' > @wraps(handler) > def handle_stack_method(controller, req, tenant_id, **kwargs): >- req.context.tenant_id = tenant_id >+ if req.context.tenant_id != tenant_id: >+ raise exc.HTTPForbidden() > return handler(controller, req, **kwargs) > > return handle_stack_method >diff --git a/heat/tests/test_api_openstack_v1.py b/heat/tests/test_api_openstack_v1.py >index 8f41970..f970b00 100644 >--- a/heat/tests/test_api_openstack_v1.py >+++ b/heat/tests/test_api_openstack_v1.py >@@ -884,14 +884,6 @@ class StackControllerTest(ControllerTest, HeatTestCase): > > req = self._get('/stacks/%(stack_name)s/%(stack_id)s' % identity) > >- error = heat_exc.InvalidTenant(target='a', actual='b') >- self.m.StubOutWithMock(rpc, 'call') >- rpc.call(req.context, self.topic, >- {'namespace': None, >- 'method': 'show_stack', >- 'args': {'stack_identity': dict(identity)}, >- 'version': self.api_version}, >- None).AndRaise(to_remote_error(error)) > self.m.ReplayAll() > > resp = request_with_middleware(fault.FaultWrapper, >@@ -900,8 +892,8 @@ class StackControllerTest(ControllerTest, HeatTestCase): > stack_name=identity.stack_name, > stack_id=identity.stack_id) > >- self.assertEqual(resp.json['code'], 403) >- self.assertEqual(resp.json['error']['type'], 'InvalidTenant') >+ self.assertEqual(resp.status_int, 403) >+ self.assertIn('403 Forbidden', str(resp)) > self.m.VerifyAll() > > def test_get_template(self): >diff --git a/heat/tests/test_api_openstack_v1_util.py b/heat/tests/test_api_openstack_v1_util.py >new file mode 100644 >index 0000000..2af2b4e >--- /dev/null >+++ b/heat/tests/test_api_openstack_v1_util.py >@@ -0,0 +1,38 @@ >+# vim: tabstop=4 shiftwidth=4 softtabstop=4 >+ >+# Licensed under the Apache License, Version 2.0 (the "License"); you may >+# not use this file except in compliance with the License. You may obtain >+# a copy of the License at >+# >+# http://www.apache.org/licenses/LICENSE-2.0 >+# >+# Unless required by applicable law or agreed to in writing, software >+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT >+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the >+# License for the specific language governing permissions and limitations >+# under the License. >+ >+from webob import exc >+ >+from heat.api.openstack.v1 import util >+from heat.common import context >+from heat.common.wsgi import Request >+from heat.tests.common import HeatTestCase >+ >+ >+class TestTenantLocal(HeatTestCase): >+ def setUp(self): >+ super(TestTenantLocal, self).setUp() >+ self.req = Request({}) >+ self.req.context = context.RequestContext(tenant_id='foo') >+ >+ def test_tenant_local(self): >+ @util.tenant_local >+ def an_action(controller, req): >+ return 'woot' >+ >+ self.assertEqual('woot', >+ an_action(None, self.req, tenant_id='foo')) >+ >+ self.assertRaises(exc.HTTPForbidden, >+ an_action, None, self.req, tenant_id='bar') >-- >1.8.3.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=833718">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1039144
:
833716
| 833718