yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #24975
[Bug 1396544] Re: Default `target={}` value leaks into subsequent `policy.check()` calls
Confirmed class D
** Information type changed from Private Security to Public
** Changed in: ossa
Status: Incomplete => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1396544
Title:
Default `target={}` value leaks into subsequent `policy.check()` calls
Status in OpenStack Dashboard (Horizon):
Confirmed
Status in OpenStack Dashboard (Horizon) icehouse series:
New
Status in OpenStack Dashboard (Horizon) juno series:
New
Status in OpenStack Security Advisories:
Won't Fix
Bug description:
Due to mutable dictionary being used as the default `target` argument
value the first target calculated from scratch in POLICY_CHECK
function will be used for all subsequent calls to POLICY_CHECK with 2
arguments. The wrong `target` can either lead to a reduced set of
operations on an entity for a given user, or to enlarged one. The
latter case poses a security breach from an cloud operators' point of
view.
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1396544/+subscriptions