yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1396544] Re: Default `target={}` value leaks into subsequent `policy.check()` calls

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Thu, 18 Dec 2014 16:20:23 -0000
Reply-to: Bug 1396544 <1396544@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: horizon
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1396544

Title:
  Default `target={}` value leaks into subsequent `policy.check()` calls

Status in OpenStack Dashboard (Horizon):
  Fix Released
Status in OpenStack Dashboard (Horizon) icehouse series:
  Fix Committed
Status in OpenStack Dashboard (Horizon) juno series:
  Fix Released
Status in OpenStack Security Advisories:
  Won't Fix

Bug description:
  Due to mutable dictionary being used as the default `target` argument
  value the first target calculated from scratch in POLICY_CHECK
  function will be used for all subsequent calls to POLICY_CHECK with 2
  arguments. The wrong `target` can either lead to a reduced set of
  operations on an entity for a given user, or to enlarged one. The
  latter case poses a security breach from an cloud operators' point of
  view.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1396544/+subscriptions