← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #61769

[Bug 1667285] Re: Neutron: Updation of qos-bandwidth-limit-rule-update with some special characters should be restricted

  Thread PreviousDate PreviousThread Next 
The reason why this is so , is because the shell characters are being
evaluated [1] when passed as an input to the neutronclient. You can try
the same experiment with any other client ( like Openstack Client) or
any other CLI as well.[2]

And, from Neutron's perspective:
When submitted the same values as a curl request, the response is below:

curl -g -i -X PUT http://10.0.4.186:9696/v2.0/qos/policies/f10cd2a0-4a44-4205-b44d-ee7ed3e1efa9/bandwidth_limit_rules/9237c1a2-1274-4a7b-a801-6db324d3ec2a.json -H "X-Auth-Token: TOEKN_ID" -d '{"bandwidth_limit_rule": {"max_kbps": "1$!0", "max_burst_kbps": "30000"}}'HTTP/1.1 400 Bad Request
Content-Length: 134
Content-Type: application/json; charset=UTF-8
X-Openstack-Request-Id: req-5fb5f8cf-cef3-4529-b102-165672d4761c
Date: Thu, 23 Feb 2017 12:16:21 GMT

{"NeutronError": {"message": "Invalid input for max_kbps. Reason: '1$!0'
is not an integer.", "type": "HTTPBadRequest", "detail": ""}

[1]: http://docstore.mik.ua/orelly/unix/upt/ch08_19.htm
[2]: http://paste.openstack.org/show/600215/

** Changed in: neutron
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1667285

Title:
  Neutron: Updation of  qos-bandwidth-limit-rule-update with some
  special characters should be restricted

Status in neutron:
  Invalid

Bug description:
  Neutron is allowing to update qos-bandwidth-limit-rule with some special characters.
  I can update "qos-bandwidth-limit-rule-update " with some of the special characters. This should be restricted. I have used "$!", "$@", "$#, in --max-kbps value.

  Steps:
  $ neutron qos-policy-create qos-policy7

  $ neutron qos-bandwidth-limit-rule-create  <qos-policy-id>  --max-kbps
  10000 --max-burst-kbps 30000

  $ neutron qos-bandwidth-limit-rule-update <qos-bandwidth-rule-id>
  <qos-policy-id> --max-kbps 1$!0 --max-burst-kbps 30000

  In above command qos-bandwidth-limit-rule-update updated with "1$!0"
  this should be restricted.

  Detailed commands pasted here:-
  http://paste.openstack.org/show/600207/

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1667285/+subscriptions

References

  Thread PreviousDate PreviousThread Next