yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1724598] Re: DOS : API_RESULT_LIMIT does not work for swift objects

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Jeremy Stanley <1724598@xxxxxxxxxxxxxxxxxx>
Date: Thu, 01 Jun 2023 19:04:36 -0000
Reply-to: Bug 1724598 <1724598@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

The lack of priority on this over the past 6 years seems to indicate
it's not a severe enough risk to warrant a widely published advisory
even if a fix ever does merge. The VMT and other OpenStack Security SIG
members agreed during the 2023.1 cycle that this should be considered
class B2 per our report taxonomy: https://security.openstack.org/vmt-
process.html#report-taxonomy

** Changed in: ossa
       Status: Incomplete => Won't Fix

** Information type changed from Public Security to Public

** Tags added: security

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1724598

Title:
  DOS : API_RESULT_LIMIT does not work for swift objects

Status in OpenStack Dashboard (Horizon):
  In Progress
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  A user can make the horizon apache process crash.

  Indeed, API_RESULT_LIMIT does not work when `full_listing=False` is
  passed as argument to swiftclient.client.Connection.get_account or to
  swiftclient.client.Connection.get_container

  Therefore When a customer has a very large amount of objects, the full
  production server crashes and stops responding.

  To reproduce : slowly upload a million small objects on one container,
  then view this container : The server crashes.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1724598/+subscriptions