OpenStack Heat

Need to reject stack/resource names with slashes

Bug #1088928 reported by Zane Bitter on 2012-12-11

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Heat	Fix Released	High	Zane Bitter	OpenStack Heat 2013.1 "grizzly"
	Grizzly	Fix Released	High	Zane Bitter	OpenStack Heat grizzly-2 "g2"

Bug Description

An unfortunate feature of WSGI (inherited from CGI) is that the path we are passed for an HTTP request has already been unquoted, thus turning all instances of '%2F' back into a '/' that is indistinguishable from an actual path component. Since there is no way to get the original, unmolested data, there is therefore no way to sensibly handle names that have slashes in them in the ReST API. So we should disallow such names in the engine.

See original description

Zane Bitter (zaneb) on 2012-12-11

description:

updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-12-12: Fix proposed to heat (master)

Fix proposed to branch: master
Review: https://review.openstack.org/17939

Changed in heat:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-12-12: Fix merged to heat (master)

Reviewed: https://review.openstack.org/17939
Committed: http://github.com/openstack/heat/commit/a560d1e206b87ac9d5e51a266dd6327cabe4f2cb
Submitter: Jenkins
Branch: master

commit a560d1e206b87ac9d5e51a266dd6327cabe4f2cb
Author: Zane Bitter <email address hidden>
Date: Wed Dec 12 13:47:33 2012 +0100

Don't allow slashes in Stack or Resource names

    There is no way for the ReST API to handle Stack or Resource names that
    contain slashes since WSGI decodes the path before passing it to the
    application, such that even correctly url-encoded slashes are
    indistinguishable from path separators. Therefore, prohibit slashes in
    Stack and Resource names.

bug 1088928

Change-Id: Ie6fa5a1bc7b5ae7054300419644008c5cc42187e
Signed-off-by: Zane Bitter <email address hidden>

Changed in heat:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2013-01-09

Changed in heat:
milestone:	none → grizzly-2
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2013-04-04

Changed in heat:
milestone:	grizzly-2 → 2013.1

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.