diff --git a/glance/common/wsgi.py b/glance/common/wsgi.py index 2256503f43..8ba7a6f4ff 100644 --- a/glance/common/wsgi.py +++ b/glance/common/wsgi.py @@ -786,7 +786,11 @@ class JSONRequestDeserializer(object): def from_json(self, datastring): try: - return jsonutils.loads(datastring, object_hook=self._sanitizer) + jsondata = jsonutils.loads(datastring, object_hook=self._sanitizer) + if not isinstance(jsondata, (dict, list)): + msg = _('Unexpected body type. Expected list/dict.') + raise webob.exc.HTTPBadRequest(explanation=msg) + return jsondata except ValueError: msg = _('Malformed JSON in request body.') raise webob.exc.HTTPBadRequest(explanation=msg) diff --git a/glance/tests/functional/v2/test_images.py b/glance/tests/functional/v2/test_images.py index 6d6581142e..278010900a 100644 --- a/glance/tests/functional/v2/test_images.py +++ b/glance/tests/functional/v2/test_images.py @@ -572,6 +572,27 @@ class TestImages(functional.FunctionalTest): images = jsonutils.loads(response.text)['images'] self.assertEqual(0, len(images)) + # Create image that tries to send True should return 400 + path = self._url('/v2/images') + headers = self._headers({'content-type': 'application/json'}) + data = 'true' + response = requests.post(path, headers=headers, data=data) + self.assertEqual(400, response.status_code) + + # Create image that tries to send a string should return 400 + path = self._url('/v2/images') + headers = self._headers({'content-type': 'application/json'}) + data = '"hello"' + response = requests.post(path, headers=headers, data=data) + self.assertEqual(400, response.status_code) + + # Create image that tries to send 123 should return 400 + path = self._url('/v2/images') + headers = self._headers({'content-type': 'application/json'}) + data = '123' + response = requests.post(path, headers=headers, data=data) + self.assertEqual(400, response.status_code) + self.stop_servers() def test_update_readonly_prop(self):