adding check for serverRef hostname matching app url

2011-06-17 14:35:10 -04:00 · 2011-06-17 14:35:10 -04:00 · 2ee267b7e4
commit 2ee267b7e4
parent bfbb2b8e04
2 changed files with 24 additions and 7 deletions
--- a/nova/api/openstack/images.py
+++ b/nova/api/openstack/images.py
@ -101,7 +101,7 @@ class Controller(object):
            raise webob.exc.HTTPBadRequest()
        try:
-            server_id = self._server_id_from_req_data(body)
+            server_id = self._server_id_from_req(req, body)
            image_name = body["image"]["name"]
        except KeyError:
            raise webob.exc.HTTPBadRequest()
@ -116,7 +116,7 @@ class Controller(object):
        """Indicates that you must use a Controller subclass."""
        raise NotImplementedError
-    def _server_id_from_req_data(self, data):
+    def _server_id_from_req(self, req, data):
        raise NotImplementedError()
    def _get_extra_properties(self, req, data):
@ -157,7 +157,7 @@ class ControllerV10(Controller):
        builder = self.get_builder(req).build
        return dict(images=[builder(image, detail=True) for image in images])
-    def _server_id_from_req_data(self, data):
+    def _server_id_from_req(self, req, data):
        try:
            return data['image']['serverId']
        except KeyError:
@ -201,14 +201,20 @@ class ControllerV11(Controller):
        builder = self.get_builder(req).build
        return dict(images=[builder(image, detail=True) for image in images])
-    def _server_id_from_req_data(self, data):
+    def _server_id_from_req(self, req, data):
        try:
            server_ref = data['image']['serverRef']
        except KeyError:
            msg = _("Expected serverRef attribute on server entity.")
            raise webob.exc.HTTPBadRequest(explanation=msg)
-        return os.path.split(server_ref)[1]
+        head, tail = os.path.split(server_ref)
        if head and head != os.path.join(req.application_url, 'servers'):
            msg = _("serverRef must match request url")
            raise webob.exc.HTTPBadRequest(explanation=msg)
        return tail
    def _get_extra_properties(self, req, data):
        server_ref = data['image']['serverRef']
--- a/nova/tests/api/openstack/test_images.py
+++ b/nova/tests/api/openstack/test_images.py
@ -1028,9 +1028,9 @@ class ImageControllerWithGlanceServiceTest(test.TestCase):
        response = req.get_response(fakes.wsgi_app())
        self.assertEqual(200, response.status_int)
-    def test_create_image_v1_1_actual_serverRef(self):
+    def test_create_image_v1_1_actual_server_ref(self):
-        serverRef = 'http://localhost:8774/v1.1/servers/1'
+        serverRef = 'http://localhost/v1.1/servers/1'
        body = dict(image=dict(serverRef=serverRef, name='Backup 1'))
        req = webob.Request.blank('/v1.1/images')
        req.method = 'POST'
@ -1041,6 +1041,17 @@ class ImageControllerWithGlanceServiceTest(test.TestCase):
        result = json.loads(response.body)
        self.assertEqual(result['image']['serverRef'], serverRef)
    def test_create_image_v1_1_server_ref_bad_hostname(self):
        serverRef = 'http://asdf/v1.1/servers/1'
        body = dict(image=dict(serverRef=serverRef, name='Backup 1'))
        req = webob.Request.blank('/v1.1/images')
        req.method = 'POST'
        req.body = json.dumps(body)
        req.headers["content-type"] = "application/json"
        response = req.get_response(fakes.wsgi_app())
        self.assertEqual(400, response.status_int)
    def test_create_image_v1_1_xml_serialization(self):
        body = dict(image=dict(serverRef='123', name='Backup 1'))