4336ff4f99
Current swift3 middleware can allow to access the controller instance
method via HTTP verb and it may have a risk to be attacked like brute
force.
likely:
from boto.s3.connection import S3Connection
conn = S3Connection(<snip>)
# expected 405 Method Not Allowed but this results in 500
# InternalError
conn.make_request('_delete_segments_bucket', 'bucket')
Probably all instance method except public verb like ones don't work
well and nothing leaked but it will absolutely 500 InternalError without
any information. This is worse. Thus we should strict the method anyway.
This patch fixes it to set swift.common.utils.public decorator for all
public methods and then middleware will deny the accesses for non-public
methods.
Closes-Bug: #1592250
Change-Id: Ia5579011701eaff2bca555efe950b0c11a3ff5b9
|
||
|---|---|---|
| .. | ||
| functional | ||
| unit | ||
| __init__.py | ||