Merge "Bodies that are not dicts or lists return 400"

glance/common/wsgi.py

@@ -786,7 +786,11 @@ class JSONRequestDeserializer(object):
 
     def from_json(self, datastring):
         try:
-            return jsonutils.loads(datastring, object_hook=self._sanitizer)
+            jsondata = jsonutils.loads(datastring, object_hook=self._sanitizer)
+            if not isinstance(jsondata, (dict, list)):
+                msg = _('Unexpected body type. Expected list/dict.')
+                raise webob.exc.HTTPBadRequest(explanation=msg)
+            return jsondata
         except ValueError:
             msg = _('Malformed JSON in request body.')
             raise webob.exc.HTTPBadRequest(explanation=msg)

glance/tests/functional/v2/test_images.py

@@ -572,6 +572,27 @@ class TestImages(functional.FunctionalTest):
         images = jsonutils.loads(response.text)['images']
         self.assertEqual(0, len(images))
 
+        # Create image that tries to send True should return 400
+        path = self._url('/v2/images')
+        headers = self._headers({'content-type': 'application/json'})
+        data = 'true'
+        response = requests.post(path, headers=headers, data=data)
+        self.assertEqual(400, response.status_code)
+
+        # Create image that tries to send a string should return 400
+        path = self._url('/v2/images')
+        headers = self._headers({'content-type': 'application/json'})
+        data = '"hello"'
+        response = requests.post(path, headers=headers, data=data)
+        self.assertEqual(400, response.status_code)
+
+        # Create image that tries to send 123 should return 400
+        path = self._url('/v2/images')
+        headers = self._headers({'content-type': 'application/json'})
+        data = '123'
+        response = requests.post(path, headers=headers, data=data)
+        self.assertEqual(400, response.status_code)
+
         self.stop_servers()
 
     def test_update_readonly_prop(self):