openstack/manila
Code Issues Proposed changes

Fix context.elevated

Browse Source 
Replace copy.copy() with copy.deepcopy() in 'elevated' method of RequestContext
class to remove addition of admin role to original context that can be used by
malicious users.

Change-Id: Ie28acd9c6c9c75ab00f440b49996a1de7523158b
Closes-bug: #1386932
This commit is contained in:
Your Name 2014-11-20 21:01:19 +02:00
parent 59cdc70452
commit d37290ce76
2 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
manila/context.py
View File

@ -128,7 +128,7 @@ class RequestContext(object):
def elevated(self, read_deleted=None, overwrite=False): def elevated(self, read_deleted=None, overwrite=False):
"""Return a version of this context with admin flag set.""" """Return a version of this context with admin flag set."""
context = copy.copy(self) context = copy.deepcopy(self)
context.is_admin = True context.is_admin = True
if 'admin' not in context.roles: if 'admin' not in context.roles:

10
manila/tests/test_context.py
View File

@ -18,6 +18,16 @@ from manila import test
class ContextTestCase(test.TestCase): class ContextTestCase(test.TestCase):
def test_request_context_elevated(self):
user_context = context.RequestContext(
'fake_user', 'fake_project', admin=False)
self.assertFalse(user_context.is_admin)
admin_context = user_context.elevated()
self.assertFalse(user_context.is_admin)
self.assertTrue(admin_context.is_admin)
self.assertFalse('admin' in user_context.roles)
self.assertTrue('admin' in admin_context.roles)
def test_request_context_sets_is_admin(self): def test_request_context_sets_is_admin(self):
ctxt = context.RequestContext('111', ctxt = context.RequestContext('111',
'222', '222',