[Yahoo-eng-team] [Bug 1734154] [NEW] bad file path but accepted in a container by Horizon after uploading file

Thu, 23 Nov 2017 08:36:00 -0800 

Public bug reported:

I uploaded a file with a bad path which contains a double slash (example: 
'/my/file//path') in an object storage container.
The problem is that Horizon accepted this bad path as if it was a valid path, 
there was no control or validation on the path made by OpenStack Horizon. In 
the URL if I put '/containers/container/my-container/A/b/12/s' which doesn't 
exist, Horizon still open the container with the following path.

Steps to reproduce : 
- use "pkgcloud" module available on GitHub with node.JS to upload a file in a 
container in Horizon
- upload a file with a bad path
- get all files and you see that the file has been saved in a fake URL

Optionally: put a bad path on URL after '/containers/container/' and
Horizon will open this false container with false file

** Affects: horizon
     Importance: Undecided
         Status: New


** Tags: bad container file horizon node object openstack path pkgcloud storage

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1734154

Title:
  bad file path but accepted in a container by Horizon after uploading
  file

Status in OpenStack Dashboard (Horizon):
  New

Bug description:
  I uploaded a file with a bad path which contains a double slash (example: 
'/my/file//path') in an object storage container.
  The problem is that Horizon accepted this bad path as if it was a valid path, 
there was no control or validation on the path made by OpenStack Horizon. In 
the URL if I put '/containers/container/my-container/A/b/12/s' which doesn't 
exist, Horizon still open the container with the following path.

  Steps to reproduce : 
  - use "pkgcloud" module available on GitHub with node.JS to upload a file in 
a container in Horizon
  - upload a file with a bad path
  - get all files and you see that the file has been saved in a fake URL

  Optionally: put a bad path on URL after '/containers/container/' and
  Horizon will open this false container with false file

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1734154/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to