Fix Story 2010258 (CVE-2022-3100)

This patch fixes a security vunlerability where the contents of a
request query string were mistakenly being used in the RBAC policy
engine.

(cherry picked from commit a61489d9f8)

Change-Id: I5797988e4c63c75fccf85277c52815d9bf684cff
This commit is contained in:
Douglas Mendizábal 2022-08-30 14:58:00 -05:00
parent 649b7db73a
commit 8ef263b880
1 changed files with 0 additions and 1 deletions

View File

@ -58,7 +58,6 @@ def _do_enforce_rbac(inst, req, action_name, ctx, **kwargs):
if target_name and target_data:
policy_dict['target'] = {target_name: target_data}
policy_dict.update(kwargs)
# Enforce access controls.
if ctx.policy_enforcer:
ctx.policy_enforcer.authorize(action_name, flatten(policy_dict),