Public bug reported:
When an image owner updates an image's owner to someone else, the update
is prevented (which is a good thing), but with a 404 "Not Found" (not so
good), instead of the 403 "Forbidden".
The reason why Glance returns a 404 "Not Found" is because the image is
re-fetched after being updated, but as the owner and user differ, the
action is forbidden (which get translated into a "not found" because
under normal circumstances a forbidden would tip an attacker off to the
existence of an image), and the update is never committed.
** Affects: glance
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1541594
Title:
Updating image owner to someone else generates a non-intuitive 404
instead of 403
Status in Glance:
New
Bug description:
When an image owner updates an image's owner to someone else, the
update is prevented (which is a good thing), but with a 404 "Not
Found" (not so good), instead of the 403 "Forbidden".
The reason why Glance returns a 404 "Not Found" is because the image
is re-fetched after being updated, but as the owner and user differ,
the action is forbidden (which get translated into a "not found"
because under normal circumstances a forbidden would tip an attacker
off to the existence of an image), and the update is never committed.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1541594/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
