yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #06707
[Bug 1078055] Re: Some id arguments for OSAPI are not verified to be numeric leading to false matches in mysql
** Changed in: nova
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1078055
Title:
Some id arguments for OSAPI are not verified to be numeric leading to
false matches in mysql
Status in OpenStack Compute (Nova):
Fix Released
Bug description:
Some id arguments for the OSAPI queries should only take numeric
arguments, but this is not verified before passing the id to the db
api. In case of mysql this leads for example to automatic truncation
of non-numeric characters from the end of the string.
Lets say there's a floating ip entry with id=123. If you issue a
request to: "https://api/v1.1/tenant/os-floating-ips/123zzzz", you
will get the floating ip 123 in response. The following line will be
logged:
2012-11-12 18:11:03 WARNING nova.common.deprecated
[req-21324670-f110-4eb1-8c35-bb1aa5581edb None None] Truncated
incorrect DOUBLE value: '123zzzz'
Although this is a trivial thing in this example, probably the code should be fixed or at least reviewed in case there's a possibility of circumventing some security check. (for example if the check passes for non-existant ids, but then allows access on a stripped id)
This bug is likely to happen on more resources than just os-floating-ips.
I believe this issue happens only with a mysql database, but this may
not be correct - other ones may have a similar behaviour.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1078055/+subscriptions