yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1078055] Re: Some id arguments for OSAPI are not verified to be numeric leading to false matches in mysql

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Wed, 04 Dec 2013 10:05:35 -0000
Reply-to: Bug 1078055 <1078055@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: nova
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1078055

Title:
  Some id arguments for OSAPI are not verified to be numeric leading to
  false matches in mysql

Status in OpenStack Compute (Nova):
  Fix Released

Bug description:
  Some id arguments for the OSAPI queries should only take numeric
  arguments, but this is not verified before passing the id to the db
  api. In case of mysql this leads for example to automatic truncation
  of non-numeric characters from the end of the string.

  Lets say there's a floating ip entry with id=123. If you issue a
  request to: "https://api/v1.1/tenant/os-floating-ips/123zzzz";, you
  will get the floating ip 123 in response. The following line will be
  logged:

  2012-11-12 18:11:03 WARNING nova.common.deprecated
  [req-21324670-f110-4eb1-8c35-bb1aa5581edb None None] Truncated
  incorrect DOUBLE value: '123zzzz'

  Although this is a trivial thing in this example, probably the code should be fixed or at least reviewed in case there's a possibility of circumventing some security check. (for example if the check passes for non-existant ids, but then allows access on a stripped id)
  This bug is likely to happen on more resources than just os-floating-ips.

  I believe this issue happens only with a mysql database, but this may
  not be correct - other ones may have a similar behaviour.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1078055/+subscriptions