This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1029418 - [AMQP 1.0] check ACL before resolving node
[AMQP 1.0] check ACL before resolving node
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: qpid-cpp (Show other bugs)
3.0
Unspecified Unspecified
medium Severity unspecified
: 3.0
: ---
Assigned To: Gordon Sim
Zdenek Kraus
:
Depends On:
Blocks: 1010399
  Show dependency treegraph
 
Reported: 2013-11-12 06:20 EST by Gordon Sim
Modified: 2015-01-21 07:55 EST (History)
5 users (show)

See Also:
Fixed In Version: qpid-cpp-0.22-26
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-01-21 07:55:58 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Apache JIRA QPID-5299 None None None Never

  None (edit)
Description Gordon Sim 2013-11-12 06:20:42 EST
Description of problem:

A user attempting to access a non-existent node will get a not-found error even if they don't have permission to access such a node. They should not be given any information on whether or not the node exists unless they first have permission.

Version-Release number of selected component (if applicable):

Early Access

How reproducible:

100%

Steps to Reproduce:
1. create policy that denies a given user all rights
2. using that user, try to send to or receive from any node name

Actual results:

Get not-found error where node doesn't exist.

Expected results:

Should get unauthorized access error whether or not node exists.

Additional info:
Comment 1 Gordon Sim 2013-11-12 06:21:48 EST
Fixed upstream: https://svn.apache.org/r1540041
Comment 2 Zdenek Kraus 2014-03-25 02:29:17 EDT
Tested on RHEL 6.5 i686, x86_64, with following packages:

perl-qpid-0.22-11.el6
python-qpid-0.22-12.el6
python-qpid-qmf-0.22-28.el6
qpid-cpp-client-0.22-36.el6
qpid-cpp-client-devel-0.22-36.el6
qpid-cpp-client-devel-docs-0.22-36.el6
qpid-cpp-debuginfo-0.22-36.el6
qpid-cpp-server-0.22-36.el6
qpid-cpp-server-devel-0.22-36.el6
qpid-cpp-server-ha-0.22-36.el6
qpid-cpp-server-linearstore-0.22-36.el6
qpid-cpp-server-xml-0.22-36.el6
qpid-java-client-0.22-6.el6
qpid-java-common-0.22-6.el6
qpid-java-example-0.22-6.el6
qpid-jca-0.22-2.el6
qpid-jca-xarecovery-0.22-2.el6
qpid-proton-c-0.6-1.el6
qpid-proton-c-devel-0.6-1.el6
qpid-proton-debuginfo-0.6-1.el6
qpid-qmf-0.22-28.el6
qpid-qmf-debuginfo-0.22-28.el6
qpid-snmpd-1.0.0-16.el6
qpid-snmpd-debuginfo-1.0.0-16.el6
qpid-tools-0.22-9.el6
ruby-qpid-qmf-0.22-28.el6


-> VERIFIED

Note You need to log in before you can comment on or make changes to this bug.