From 05e9bdb656d9c120ed3cd6ffc8ae7dbf5614b5e4 Mon Sep 17 00:00:00 2001
From: "neha.pandey" <neha11.pandey@nttdata.com>
Date: Thu, 4 May 2017 16:53:08 +0530
Subject: [PATCH] Fix member create to handle unicode characters

If user passes member id as unicode characters in member create then
HTTP 500 internal server error is raised.
Reason: The unicode format check is not performed in db create member.

This patch fixes the member create by checking member id before
inserting in db. If member id is unicode then proper exception
is raised and same is handled in controller api.

Change-Id: I67be5e990d1269cbb986db7fff21a90a41af06e4
Closes-Bug: #1688189
---
 glance/api/v2/image_members.py                      | 2 ++
 glance/db/simple/api.py                             | 1 +
 glance/db/sqlalchemy/api.py                         | 1 +
 glance/tests/unit/v2/test_image_members_resource.py | 6 ++++++
 4 files changed, 10 insertions(+)

diff --git a/glance/api/v2/image_members.py b/glance/api/v2/image_members.py
index 09696e0fd9..b2e88e4250 100644
--- a/glance/api/v2/image_members.py
+++ b/glance/api/v2/image_members.py
@@ -116,6 +116,8 @@ class ImageMembersController(object):
                                                                member_id)
             member_repo.add(new_member)
             return new_member
+        except exception.Invalid as e:
+            raise webob.exc.HTTPBadRequest(explanation=e.msg)
         except exception.Forbidden:
             msg = _("Not allowed to create members for image %s.") % image_id
             LOG.warning(msg)
diff --git a/glance/db/simple/api.py b/glance/db/simple/api.py
index d8133d133c..daab21ab11 100644
--- a/glance/db/simple/api.py
+++ b/glance/db/simple/api.py
@@ -538,6 +538,7 @@ def image_member_count(context, image_id):
 
 
 @log_call
+@utils.no_4byte_params
 def image_member_create(context, values):
     member = _image_member_format(values['image_id'],
                                   values['member'],
diff --git a/glance/db/sqlalchemy/api.py b/glance/db/sqlalchemy/api.py
index f404ffb7dc..6c2621454f 100644
--- a/glance/db/sqlalchemy/api.py
+++ b/glance/db/sqlalchemy/api.py
@@ -1072,6 +1072,7 @@ def _image_property_delete_all(context, image_id, delete_time=None,
     return props_updated_count
 
 
+@utils.no_4byte_params
 def image_member_create(context, values, session=None):
     """Create an ImageMember object."""
     memb_ref = models.ImageMember()
diff --git a/glance/tests/unit/v2/test_image_members_resource.py b/glance/tests/unit/v2/test_image_members_resource.py
index 6a4a12cf8d..13cd8754e6 100644
--- a/glance/tests/unit/v2/test_image_members_resource.py
+++ b/glance/tests/unit/v2/test_image_members_resource.py
@@ -279,6 +279,12 @@ class TestImageMembersController(test_utils.BaseTestCase):
         self.assertEqual(UUID2, output.image_id)
         self.assertEqual(TENANT3, output.member_id)
 
+    def test_member_create_raises_bad_request_for_unicode_value(self):
+        request = unit_test_utils.get_fake_request()
+        self.assertRaises(webob.exc.HTTPBadRequest, self.controller.create,
+                          request, image_id=UUID5,
+                          member_id=u'\U0001f693')
+
     def test_update_done_by_member(self):
         request = unit_test_utils.get_fake_request(tenant=TENANT4)
         image_id = UUID2