yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1482301] [NEW] 'X-Openstack-Request-ID' leght limited only by header size

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Erno Kuvaja <jokke@xxxxxx>
Date: Thu, 06 Aug 2015 16:52:31 -0000
Reply-to: Bug 1482301 <1482301@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

*** This bug is a security vulnerability ***

Public security bug reported:

Glance accepts 'X-Openstack-Request-ID' header and includes the value in
log-files. The length of the Request ID is limited only by
max_header_line parameter that defaults to 16384. This opens possibility
to flood the logs.

Public as this vulnerability was already discussed today on Glance
weekly meeting.

** Affects: glance
     Importance: Critical
     Assignee: Erno Kuvaja (jokke)
         Status: In Progress


** Tags: log

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1482301

Title:
  'X-Openstack-Request-ID' leght limited only by header size

Status in Glance:
  In Progress

Bug description:
  Glance accepts 'X-Openstack-Request-ID' header and includes the value
  in log-files. The length of the Request ID is limited only by
  max_header_line parameter that defaults to 16384. This opens
  possibility to flood the logs.

  Public as this vulnerability was already discussed today on Glance
  weekly meeting.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1482301/+subscriptions

Follow ups

[Bug 1482301] Re: 'X-Openstack-Request-ID' lenght limited only by header size
From: Thierry Carrez, 2015-09-04
[Bug 1482301] Re: 'X-Openstack-Request-ID' lenght limited only by header size
From: Tristan Cacqueray, 2015-08-31
[Bug 1482301] Re: 'X-Openstack-Request-ID' lenght limited only by header size
From: Tristan Cacqueray, 2015-08-06
[Bug 1482301] Re: 'X-Openstack-Request-ID' lenght limited only by header size
From: nikhil komawar, 2015-08-06