On 10/26/2017 10:56 PM, Joshua Harlow wrote:
Just the paranoid person in me, but is it safe to say that the filter
that you are showing here does not come from user text?
Ie these two lines don't come from a user input directly (without going
through some filter) do they?
From reading it seems like perhaps they do come at least partially from
a user, so I am hoping that its not possible for a user to present a
'ip' that is really a complicated regex that takes a long time to
compile (and therefore can DOS the nova-api component); but I don't know
the surrounding code so I might be wrong...
Just wondering :-/
We have schema validation on the ip filter but it's just checking that
it can actually compile it:
So yeah, probably a potential problem like you pointed out.
OpenStack Development Mailing List (not for usage questions)