diff --git a/swift/proxy/controllers/account.py b/swift/proxy/controllers/account.py index ee5995f1eb..f3ff6458fc 100644 --- a/swift/proxy/controllers/account.py +++ b/swift/proxy/controllers/account.py @@ -139,6 +139,11 @@ class AccountController(Controller): @public def DELETE(self, req): """HTTP DELETE request handler.""" + # Extra safety in case someone typos a query string for an + # account-level DELETE request that was really meant to be caught by + # some middleware. + if req.query_string: + return HTTPBadRequest(request=req) if not self.app.allow_account_management: return HTTPMethodNotAllowed( request=req, diff --git a/test/unit/proxy/test_server.py b/test/unit/proxy/test_server.py index 497136f5dc..adea5e54ff 100644 --- a/test/unit/proxy/test_server.py +++ b/test/unit/proxy/test_server.py @@ -5564,6 +5564,29 @@ class TestAccountController(unittest.TestCase): test_status_map((201, 500, 500), 503) test_status_map((204, 500, 404), 503) + def test_DELETE_with_query_string(self): + # Extra safety in case someone typos a query string for an + # account-level DELETE request that was really meant to be caught by + # some middleware. + with save_globals(): + controller = proxy_server.AccountController(self.app, 'account') + + def test_status_map(statuses, expected, **kwargs): + set_http_connect(*statuses, **kwargs) + self.app.memcache.store = {} + req = Request.blank('/a?whoops', {'REQUEST_METHOD': 'DELETE'}) + req.content_length = 0 + self.app.update_request(req) + res = controller.DELETE(req) + expected = str(expected) + self.assertEquals(res.status[:len(expected)], expected) + test_status_map((201, 201, 201), 400) + self.app.allow_account_management = True + test_status_map((201, 201, 201), 400) + test_status_map((201, 201, 500), 400) + test_status_map((201, 500, 500), 400) + test_status_map((204, 500, 404), 400) + class FakeObjectController(object):