On 10/26/2017 10:56 PM, Joshua Harlow wrote:
Just the paranoid person in me, but is it safe to say that the filter that you are showing here does not come from user text?

Ie these two lines don't come from a user input directly (without going through some filter) do they?

https://github.com/openstack/nova/blob/16.0.0/nova/compute/api.py#L2458-L2459

From reading it seems like perhaps they do come at least partially from a user, so I am hoping that its not possible for a user to present a 'ip' that is really a complicated regex that takes a long time to compile (and therefore can DOS the nova-api component); but I don't know the surrounding code so I might be wrong...

Just wondering :-/

-Josh

We have schema validation on the ip filter but it's just checking that it can actually compile it:

https://github.com/openstack/nova/blob/16.0.0/nova/api/validation/validators.py#L35

So yeah, probably a potential problem like you pointed out.

--

Thanks,

Matt

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Reply via email to