The lack of priority on this over the past 6 years seems to indicate
it's not a severe enough risk to warrant a widely published advisory
even if a fix ever does merge. The VMT and other OpenStack Security SIG
members agreed during the 2023.1 cycle that this should be considered
class B2 per our report taxonomy: https://security.openstack.org/vmt-
process.html#report-taxonomy
** Changed in: ossa
Status: Incomplete => Won't Fix
** Information type changed from Public Security to Public
** Tags added: security
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1724598
Title:
DOS : API_RESULT_LIMIT does not work for swift objects
Status in OpenStack Dashboard (Horizon):
In Progress
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
A user can make the horizon apache process crash.
Indeed, API_RESULT_LIMIT does not work when `full_listing=False` is
passed as argument to swiftclient.client.Connection.get_account or to
swiftclient.client.Connection.get_container
Therefore When a customer has a very large amount of objects, the full
production server crashes and stops responding.
To reproduce : slowly upload a million small objects on one container,
then view this container : The server crashes.
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1724598/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
