yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1734154] [NEW] bad file path but accepted in a container by Horizon after uploading file

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Besbiss <1734154@xxxxxxxxxxxxxxxxxx>
Date: Thu, 23 Nov 2017 16:28:36 -0000
Reply-to: Bug 1734154 <1734154@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

I uploaded a file with a bad path which contains a double slash (example: '/my/file//path') in an object storage container.
The problem is that Horizon accepted this bad path as if it was a valid path, there was no control or validation on the path made by OpenStack Horizon. In the URL if I put '/containers/container/my-container/A/b/12/s' which doesn't exist, Horizon still open the container with the following path.

Steps to reproduce : 
- use "pkgcloud" module available on GitHub with node.JS to upload a file in a container in Horizon
- upload a file with a bad path
- get all files and you see that the file has been saved in a fake URL

Optionally: put a bad path on URL after '/containers/container/' and
Horizon will open this false container with false file

** Affects: horizon
     Importance: Undecided
         Status: New


** Tags: bad container file horizon node object openstack path pkgcloud storage

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1734154

Title:
  bad file path but accepted in a container by Horizon after uploading
  file

Status in OpenStack Dashboard (Horizon):
  New

Bug description:
  I uploaded a file with a bad path which contains a double slash (example: '/my/file//path') in an object storage container.
  The problem is that Horizon accepted this bad path as if it was a valid path, there was no control or validation on the path made by OpenStack Horizon. In the URL if I put '/containers/container/my-container/A/b/12/s' which doesn't exist, Horizon still open the container with the following path.

  Steps to reproduce : 
  - use "pkgcloud" module available on GitHub with node.JS to upload a file in a container in Horizon
  - upload a file with a bad path
  - get all files and you see that the file has been saved in a fake URL

  Optionally: put a bad path on URL after '/containers/container/' and
  Horizon will open this false container with false file

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1734154/+subscriptions