Add v1 API x-image-meta- header whitelist
Add a whitelist of allowed 'x-image-meta-xxx' style headers. Attempts to supply other, unexpected headers will return 400. This prevents cases such as 'x-image-meta-locations' being processed, which were not being handled correctly. Addresses bug 1205018. Change-Id: I771bb6ae2a4f9cbd7726f952c7a71da99162b490
This commit is contained in:
parent
3a879bf3e2
commit
c3e58bd943
|
@ -49,6 +49,18 @@ LOG = logging.getLogger(__name__)
|
|||
|
||||
FEATURE_BLACKLIST = ['content-length', 'content-type', 'x-image-meta-size']
|
||||
|
||||
# Whitelist of v1 API headers of form x-image-meta-xxx
|
||||
IMAGE_META_HEADERS = ['x-image-meta-location', 'x-image-meta-size',
|
||||
'x-image-meta-is_public', 'x-image-meta-disk_format',
|
||||
'x-image-meta-container_format', 'x-image-meta-name',
|
||||
'x-image-meta-status', 'x-image-meta-copy_from',
|
||||
'x-image-meta-uri', 'x-image-meta-checksum',
|
||||
'x-image-meta-created_at', 'x-image-meta-updated_at',
|
||||
'x-image-meta-deleted-at', 'x-image-meta-min_ram',
|
||||
'x-image-meta-min_disk', 'x-image-meta-owner',
|
||||
'x-image-meta-store', 'x-image-meta-id',
|
||||
'x-image-meta-protected', 'x-image-meta-deleted']
|
||||
|
||||
GLANCE_TEST_SOCKET_FD_STR = 'GLANCE_TEST_SOCKET_FD'
|
||||
|
||||
|
||||
|
@ -237,6 +249,9 @@ def get_image_meta_from_headers(response):
|
|||
properties[field_name] = value or None
|
||||
elif key.startswith('x-image-meta-'):
|
||||
field_name = key[len('x-image-meta-'):].replace('-', '_')
|
||||
if 'x-image-meta-' + field_name not in IMAGE_META_HEADERS:
|
||||
msg = _(("Bad header: %s") % key)
|
||||
raise exc.HTTPBadRequest(msg, content_type="text/plain")
|
||||
result[field_name] = value or None
|
||||
result['properties'] = properties
|
||||
if 'size' in result:
|
||||
|
|
|
@ -120,9 +120,21 @@ class TestUtils(test_utils.BaseTestCase):
|
|||
|
||||
def test_get_meta_from_headers(self):
|
||||
resp = webob.Response()
|
||||
resp.headers = {"x-image-meta-*": 'test'}
|
||||
resp.headers = {"x-image-meta-name": 'test'}
|
||||
result = utils.get_image_meta_from_headers(resp)
|
||||
self.assertEqual({'*': 'test', 'properties': {}}, result)
|
||||
self.assertEqual({'name': 'test', 'properties': {}}, result)
|
||||
|
||||
def test_get_meta_from_headers_bad_headers(self):
|
||||
resp = webob.Response()
|
||||
resp.headers = {"x-image-meta-bad": 'test'}
|
||||
self.assertRaises(webob.exc.HTTPBadRequest,
|
||||
utils.get_image_meta_from_headers, resp)
|
||||
resp.headers = {"x-image-meta-": 'test'}
|
||||
self.assertRaises(webob.exc.HTTPBadRequest,
|
||||
utils.get_image_meta_from_headers, resp)
|
||||
resp.headers = {"x-image-meta-*": 'test'}
|
||||
self.assertRaises(webob.exc.HTTPBadRequest,
|
||||
utils.get_image_meta_from_headers, resp)
|
||||
|
||||
def test_add_features_to_http_headers(self):
|
||||
features_test1 = {'x-image-meta-size': 'test'}
|
||||
|
|
|
@ -270,7 +270,6 @@ class TestHelpers(test_utils.BaseTestCase):
|
|||
"""
|
||||
fixture = {'name': 'fake public image',
|
||||
'is_public': True,
|
||||
'type': 'kernel',
|
||||
'size': 19,
|
||||
'location': "file:///tmp/glance-tests/2",
|
||||
'properties': {'distro': 'Ubuntu 10.04 LTS'}}
|
||||
|
@ -285,7 +284,6 @@ class TestHelpers(test_utils.BaseTestCase):
|
|||
fixture = {'name': 'fake public image',
|
||||
'is_public': True,
|
||||
'deleted': False,
|
||||
'type': 'kernel',
|
||||
'name': None,
|
||||
'size': 19,
|
||||
'location': "file:///tmp/glance-tests/2",
|
||||
|
|
Loading…
Reference in New Issue