openstack
/
swift
Code Issues Proposed changes
swift/swift/common
History
Tim Burke bf9346d88d Fix some request-smuggling vectors on py3 
A Python 3 bug causes us to abort header parsing in some cases. We
mostly worked around that in the related change, but that was *after*
eventlet used the parsed headers to determine things like message
framing. As a result, a client sending a malformed request (for example,
sending both Content-Length *and* Transfer-Encoding: chunked headers)
might have that request parsed properly and authorized by a proxy-server
running Python 2, but the proxy-to-backend request could get misparsed
if the backend is running Python 3. As a result, the single client
request could be interpretted as multiple requests by an object server,
only the first of which was properly authorized at the proxy.

Now, after we find and parse additional headers that weren't parsed by
Python, fix up eventlet's wsgi.input to reflect the message framing we
expect given the complete set of headers. As an added precaution, if the
client included Transfer-Encoding: chunked *and* a Content-Length,
ensure that the Content-Length is not forwarded to the backend.

Change-Id: I70c125df70b2a703de44662adc66f740cc79c7a9
Related-Change: I0f03c211f35a9a49e047a5718a9907b515ca88d7
Closes-Bug: 1840507
 		2019-10-02 08:20:20 -07:00
..
middleware Merge "doc: Fix the swift middleware doc needs more info to set s3 api" 2019-09-21 04:03:36 +00:00
ring Rebuild frags for unmounted disks 2019-02-08 18:04:55 +00:00
__init__.py Start using Hacking 2013-07-15 11:41:58 +02:00
base_storage_server.py Make log format for requests configurable 2019-05-02 17:43:25 -06:00
bufferedhttp.py bufferedhttp: ensure query params are properly quoted 2019-09-12 11:48:03 -07:00
constraints.py Allow bulk delete of big SLO manifests 2019-08-13 16:51:50 -07:00
container_sync_realms.py Python3: Fix test/unit/common/test_container_sync_realms.py 2019-01-29 09:04:36 -06:00
daemon.py Multiprocess object replicator 2018-04-24 04:05:08 +00:00
db.py py3: Specify an encoding when loading db.pending pickles 2019-06-17 08:06:39 -07:00
db_replicator.py container-replicator: Add a timeout for get_shard_ranges 2019-07-03 22:29:47 -07:00
direct_client.py py3: Monkey-patch json.loads to accept bytes on py35 2018-11-02 21:38:53 +00:00
exceptions.py Fix socket leak on object-server death 2019-01-31 18:38:35 +00:00
header_key_dict.py py3: Fix title-casing in HeaderKeyDict 2019-07-25 12:55:03 -07:00
http.py Fix pep8 E265 warning of hacking 0.10 2015-07-30 09:33:18 +02:00
internal_client.py Add params to get_*_metadata internal client methods 2019-08-14 16:13:25 +02:00
linkat.py py3: port common/ring/ and common/utils.py 2018-02-12 06:42:24 +00:00
manager.py Fix :param: in docstring 2019-06-14 11:29:27 +08:00
memcached.py py3: add swift-dsvm-functional-py3 job 2019-06-21 22:31:18 -07:00
request_helpers.py Consolidate Container-Update-Override headers 2019-08-09 10:35:26 -05:00
splice.py Clean out Python 2.6 leftovers from splice.py 2018-05-24 11:44:49 -07:00
storage_policy.py py3: Make StoragePolicy objects hashable 2019-05-04 21:01:29 -07:00
swob.py py3: Fix header_to_environ_key 2019-06-10 13:47:33 -07:00
utils.py Use `is` to compare against sentinel object 2019-08-06 10:14:47 -07:00
wsgi.py Fix some request-smuggling vectors on py3 2019-10-02 08:20:20 -07:00