4336ff4f99
Current swift3 middleware can allow to access the controller instance method via HTTP verb and it may have a risk to be attacked like brute force. likely: from boto.s3.connection import S3Connection conn = S3Connection(<snip>) # expected 405 Method Not Allowed but this results in 500 # InternalError conn.make_request('_delete_segments_bucket', 'bucket') Probably all instance method except public verb like ones don't work well and nothing leaked but it will absolutely 500 InternalError without any information. This is worse. Thus we should strict the method anyway. This patch fixes it to set swift.common.utils.public decorator for all public methods and then middleware will deny the accesses for non-public methods. Closes-Bug: #1592250 Change-Id: Ia5579011701eaff2bca555efe950b0c11a3ff5b9 |
||
---|---|---|
.. | ||
functional | ||
unit | ||
__init__.py |