yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #61769
[Bug 1667285] Re: Neutron: Updation of qos-bandwidth-limit-rule-update with some special characters should be restricted
The reason why this is so , is because the shell characters are being
evaluated [1] when passed as an input to the neutronclient. You can try
the same experiment with any other client ( like Openstack Client) or
any other CLI as well.[2]
And, from Neutron's perspective:
When submitted the same values as a curl request, the response is below:
curl -g -i -X PUT http://10.0.4.186:9696/v2.0/qos/policies/f10cd2a0-4a44-4205-b44d-ee7ed3e1efa9/bandwidth_limit_rules/9237c1a2-1274-4a7b-a801-6db324d3ec2a.json -H "X-Auth-Token: TOEKN_ID" -d '{"bandwidth_limit_rule": {"max_kbps": "1$!0", "max_burst_kbps": "30000"}}'HTTP/1.1 400 Bad Request
Content-Length: 134
Content-Type: application/json; charset=UTF-8
X-Openstack-Request-Id: req-5fb5f8cf-cef3-4529-b102-165672d4761c
Date: Thu, 23 Feb 2017 12:16:21 GMT
{"NeutronError": {"message": "Invalid input for max_kbps. Reason: '1$!0'
is not an integer.", "type": "HTTPBadRequest", "detail": ""}
[1]: http://docstore.mik.ua/orelly/unix/upt/ch08_19.htm
[2]: http://paste.openstack.org/show/600215/
** Changed in: neutron
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1667285
Title:
Neutron: Updation of qos-bandwidth-limit-rule-update with some
special characters should be restricted
Status in neutron:
Invalid
Bug description:
Neutron is allowing to update qos-bandwidth-limit-rule with some special characters.
I can update "qos-bandwidth-limit-rule-update " with some of the special characters. This should be restricted. I have used "$!", "$@", "$#, in --max-kbps value.
Steps:
$ neutron qos-policy-create qos-policy7
$ neutron qos-bandwidth-limit-rule-create <qos-policy-id> --max-kbps
10000 --max-burst-kbps 30000
$ neutron qos-bandwidth-limit-rule-update <qos-bandwidth-rule-id>
<qos-policy-id> --max-kbps 1$!0 --max-burst-kbps 30000
In above command qos-bandwidth-limit-rule-update updated with "1$!0"
this should be restricted.
Detailed commands pasted here:-
http://paste.openstack.org/show/600207/
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1667285/+subscriptions
References