Fix Story 2010258 (CVE-2022-3100)
This patch fixes a security vunlerability where the contents of a
request query string were mistakenly being used in the RBAC policy
engine.
(cherry picked from commit a61489d9f8
)
Change-Id: I5797988e4c63c75fccf85277c52815d9bf684cff
This commit is contained in:
parent
649b7db73a
commit
8ef263b880
|
@ -58,7 +58,6 @@ def _do_enforce_rbac(inst, req, action_name, ctx, **kwargs):
|
|||
if target_name and target_data:
|
||||
policy_dict['target'] = {target_name: target_data}
|
||||
|
||||
policy_dict.update(kwargs)
|
||||
# Enforce access controls.
|
||||
if ctx.policy_enforcer:
|
||||
ctx.policy_enforcer.authorize(action_name, flatten(policy_dict),
|
||||
|
|
Loading…
Reference in New Issue