yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1541594] [NEW] Updating image owner to someone else generates a non-intuitive 404 instead of 403

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Luke Wollney <1541594@xxxxxxxxxxxxxxxxxx>
Date: Wed, 03 Feb 2016 20:51:51 -0000
Reply-to: Bug 1541594 <1541594@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

When an image owner updates an image's owner to someone else, the update
is prevented (which is a good thing), but with a 404 "Not Found" (not so
good), instead of the 403 "Forbidden".

The reason why Glance returns a 404 "Not Found" is because the image is
re-fetched after being updated, but as the owner and user differ, the
action is forbidden (which get translated into a "not found" because
under normal circumstances a forbidden would tip an attacker off to the
existence of an image), and the update is never committed.

** Affects: glance
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1541594

Title:
  Updating image owner to someone else generates a non-intuitive 404
  instead of 403

Status in Glance:
  New

Bug description:
  When an image owner updates an image's owner to someone else, the
  update is prevented (which is a good thing), but with a 404 "Not
  Found" (not so good), instead of the 403 "Forbidden".

  The reason why Glance returns a 404 "Not Found" is because the image
  is re-fetched after being updated, but as the owner and user differ,
  the action is forbidden (which get translated into a "not found"
  because under normal circumstances a forbidden would tip an attacker
  off to the existence of an image), and the update is never committed.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1541594/+subscriptions