openstack
/
swift
Code Issues Proposed changes
swift/test/unit/common/middleware
History
Clay Gerrard 0694e1911d Disallow unsafe tempurl operations to point to unauthorized data 
Do not allow PUT tempurls to create pointers to other data. Specifically
disallow the creation of DLO object manifests by returning an error if a
non-safe tempurl request includes an X-Object-Manifest header regardless of
the value of the header.

This prevents discoverability attacks which can use any PUT tempurl to probe
for private data by creating a DLO object manifest and then using the PUT
tempurl to head the object which would 404 if the prefix does not match any
object data or form a valid DLO HEAD response if it does.

This also prevents a tricky and potentially unexpected consequence of PUT
tempurls which would make it unsafe to allow a user to download objects
created by tempurl (even if they just created them) because the result of
reading the object created via tempurl may not be the data which was uploaded.

[CVE-2015-5223]

Co-Authored-By: Kota Tsuyuzaki <tsuyuzaki.kota@lab.ntt.co.jp>

Closes-Bug: 1453948

Change-Id: I91161dfb0f089c3990aca1b4255b520299ef73c8
 		2015-08-26 07:54:02 -07:00
..
__init__.py Initial commit of middleware refactor 2010-08-20 00:42:38 +00:00
helpers.py Add container-reconciler daemon 2014-06-18 17:31:39 -07:00
test_account_quotas.py Uses None instead of mutables for function param defaults 2014-05-10 11:15:56 +00:00
test_acl.py Fix invalid account acl generating 500 response. 2014-02-19 18:32:53 +00:00
test_bulk.py Rework use of constraints to ease testing 2014-04-02 23:48:01 -04:00
test_cname_lookup.py Allow multiple storage_domain in cname_lookup. 2014-01-26 10:45:19 +00:00
test_container_sync.py Add Storage Policy Support to Container Sync 2014-06-18 21:09:54 -07:00
test_crossdomain.py Corrected many style violations in the tests. 2013-07-24 10:18:47 -07:00
test_dlo.py Fixes unit tests to clean up temporary directories 2014-09-26 22:39:48 +05:30
test_domain_remap.py Allow empty reseller prefixes in domain_remap 2014-04-23 23:59:28 +01:00
test_except.py Let users add their own txid suffixes 2014-05-16 15:29:47 -04:00
test_formpost.py Move multipart MIME parser into utils 2014-09-16 10:10:59 -07:00
test_gatekeeper.py Uses None instead of mutables for function param defaults 2014-05-10 11:15:56 +00:00
test_healthcheck.py Change OpenStack LLC to Foundation 2013-09-20 01:02:31 +08:00
test_keystoneauth.py Restrict keystone cross-tenant ACLs to IDs 2014-08-08 15:58:29 +01:00
test_list_endpoints.py Add v2 API to list endpoints middleware 2014-07-17 11:48:27 +01:00
test_memcache.py Fix for memcache middleware configuration 2013-11-26 18:03:33 +00:00
test_name_check.py Change OpenStack LLC to Foundation 2013-09-20 01:02:31 +08:00
test_proxy_logging.py Change the default token logged length to 16 2014-05-20 19:46:38 -07:00
test_quotas.py Handle COPY verb in container quota middleware 2014-02-04 12:30:20 +01:00
test_ratelimit.py use get_container_info in ratelimit 2014-09-25 16:29:57 +00:00
test_recon.py Parallel object auditor 2014-06-25 16:57:53 +01:00
test_slo.py Fix SLO test with old simplejson 2014-06-16 10:43:22 -07:00
test_staticweb.py Improve StaticWeb 404 on web-listings/index 2014-02-18 11:46:31 +00:00
test_tempauth.py Fix invalid account acl generating 500 response. 2014-02-19 18:32:53 +00:00
test_tempurl.py Disallow unsafe tempurl operations to point to unauthorized data 2015-08-26 07:54:02 -07:00
test_xprofile.py Fixes unit tests to clean up temporary directories 2014-09-26 22:39:48 +05:30