← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1396544] Re: Default `target={}` value leaks into subsequent `policy.check()` calls

 

Confirmed class D

** Information type changed from Private Security to Public

** Changed in: ossa
       Status: Incomplete => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1396544

Title:
  Default `target={}` value leaks into subsequent `policy.check()` calls

Status in OpenStack Dashboard (Horizon):
  Confirmed
Status in OpenStack Dashboard (Horizon) icehouse series:
  New
Status in OpenStack Dashboard (Horizon) juno series:
  New
Status in OpenStack Security Advisories:
  Won't Fix

Bug description:
  Due to mutable dictionary being used as the default `target` argument
  value the first target calculated from scratch in POLICY_CHECK
  function will be used for all subsequent calls to POLICY_CHECK with 2
  arguments. The wrong `target` can either lead to a reduced set of
  operations on an entity for a given user, or to enlarged one. The
  latter case poses a security breach from an cloud operators' point of
  view.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1396544/+subscriptions