From d37290ce76f04013964f31d719d32b0f46c0b997 Mon Sep 17 00:00:00 2001 From: Your Name Date: Thu, 20 Nov 2014 21:01:19 +0200 Subject: [PATCH] Fix context.elevated Replace copy.copy() with copy.deepcopy() in 'elevated' method of RequestContext class to remove addition of admin role to original context that can be used by malicious users. Change-Id: Ie28acd9c6c9c75ab00f440b49996a1de7523158b Closes-bug: #1386932 --- manila/context.py | 2 +- manila/tests/test_context.py | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/manila/context.py b/manila/context.py index 3d8fcfd6fd..b8616f5b61 100644 --- a/manila/context.py +++ b/manila/context.py @@ -128,7 +128,7 @@ class RequestContext(object): def elevated(self, read_deleted=None, overwrite=False): """Return a version of this context with admin flag set.""" - context = copy.copy(self) + context = copy.deepcopy(self) context.is_admin = True if 'admin' not in context.roles: diff --git a/manila/tests/test_context.py b/manila/tests/test_context.py index 2738565602..4ed87ab2cf 100644 --- a/manila/tests/test_context.py +++ b/manila/tests/test_context.py @@ -18,6 +18,16 @@ from manila import test class ContextTestCase(test.TestCase): + def test_request_context_elevated(self): + user_context = context.RequestContext( + 'fake_user', 'fake_project', admin=False) + self.assertFalse(user_context.is_admin) + admin_context = user_context.elevated() + self.assertFalse(user_context.is_admin) + self.assertTrue(admin_context.is_admin) + self.assertFalse('admin' in user_context.roles) + self.assertTrue('admin' in admin_context.roles) + def test_request_context_sets_is_admin(self): ctxt = context.RequestContext('111', '222',