openstack/manila
Code Issues Proposed changes

Merge "Enforce policy checks for share export locations"

Browse Source
This commit is contained in:
Zuul 2020-03-24 08:32:59 +00:00 committed by Gerrit Code Review
commit 3be8d05dd2
3 changed files with 17 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
manila/api/v2/share_export_locations.py
View File

@ -20,6 +20,7 @@ from manila.api.views import export_locations as export_locations_views
from manila.db import api as db_api from manila.db import api as db_api
from manila import exception from manila import exception
from manila.i18n import _ from manila.i18n import _
from manila import policy
class ShareExportLocationController(wsgi.Controller): class ShareExportLocationController(wsgi.Controller):
@ -32,7 +33,9 @@ class ShareExportLocationController(wsgi.Controller):
def _verify_share(self, context, share_id): def _verify_share(self, context, share_id):
try: try:
db_api.share_get(context, share_id) share = db_api.share_get(context, share_id)
if not share['is_public']:
policy.check_policy(context, 'share', 'get', share)
except exception.NotFound: except exception.NotFound:
msg = _("Share '%s' not found.") % share_id msg = _("Share '%s' not found.") % share_id
raise exc.HTTPNotFound(explanation=msg) raise exc.HTTPNotFound(explanation=msg)

8
manila/api/v2/share_instance_export_locations.py
View File

@ -21,6 +21,7 @@ from manila.api.views import export_locations as export_locations_views
from manila.db import api as db_api from manila.db import api as db_api
from manila import exception from manila import exception
from manila.i18n import _ from manila.i18n import _
from manila import policy
class ShareInstanceExportLocationController(wsgi.Controller): class ShareInstanceExportLocationController(wsgi.Controller):
@ -33,7 +34,12 @@ class ShareInstanceExportLocationController(wsgi.Controller):
def _verify_share_instance(self, context, share_instance_id): def _verify_share_instance(self, context, share_instance_id):
try: try:
db_api.share_instance_get(context, share_instance_id) share_instance = db_api.share_instance_get(context,
share_instance_id,
with_share_data=True)
if not share_instance['is_public']:
policy.check_policy(context, 'share_instance', 'show',
share_instance)
except exception.NotFound: except exception.NotFound:
msg = _("Share instance '%s' not found.") % share_instance_id msg = _("Share instance '%s' not found.") % share_instance_id
raise exc.HTTPNotFound(explanation=msg) raise exc.HTTPNotFound(explanation=msg)

6
releasenotes/notes/bug-1654598-enforce-policy-checks-for-share-export-locations-a5cea1ec123b1469.yaml Normal file
View File

@ -0,0 +1,6 @@
---
security:
- |
Closes a gap where a user can see the export locations for another user's
share if the uuid of the other share is leaked, stolen, or (improbably)
guessed.