openstack/glance
Code Issues Proposed changes

Add mechanism to limit Request ID size

Browse Source 
Adding 'max_request_id_length' defaulting to 0 for backportability.

DocImpact
SecurityImpact

Closes-Bug: #1482301
Change-Id: Ie68afe7610a414bbcc42ff3bee33a9779303c115
This commit is contained in:
Erno Kuvaja 2015-08-06 16:29:28 +00:00
parent ade3ef630a
commit 9fdc92b57b
3 changed files with 19 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
doc/source/configuring.rst
View File

@ -192,6 +192,13 @@ will prevent any new processes from being created.
Optional. Default: The number of CPUs available will be used by default. Optional. Default: The number of CPUs available will be used by default.
* ``max_request_id_length=LENGTH``
Limits the maximum size of the x-openstack-request-id header which is
logged. Affects only if context middleware is configured in pipeline.
Optional. Default: ``0`` (Limited by max_header_line default: 16384)
Configuring SSL Support Configuring SSL Support
~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~

11
glance/api/middleware/context.py
View File

@ -38,6 +38,8 @@ context_opts = [
help=_('Allow unauthenticated users to access the API with ' help=_('Allow unauthenticated users to access the API with '
'read-only privileges. This only applies when using ' 'read-only privileges. This only applies when using '
'ContextMiddleware.')), 'ContextMiddleware.')),
cfg.IntOpt('max_request_id_length', default=0,
help=_('Limits request ID length.')),
] ]
CONF = cfg.CONF CONF = cfg.CONF
@ -110,6 +112,13 @@ class ContextMiddleware(BaseContextMiddleware):
raise webob.exc.HTTPInternalServerError( raise webob.exc.HTTPInternalServerError(
_('Invalid service catalog json.')) _('Invalid service catalog json.'))
request_id = req.headers.get('X-Openstack-Request-ID')
if request_id and (0 < CONF.max_request_id_length <
len(request_id)):
msg = (_('x-openstack-request-id is too long, max size %s') %
CONF.max_request_id_length)
return webob.exc.HTTPRequestHeaderFieldsTooLarge(comment=msg)
kwargs = { kwargs = {
'user': req.headers.get('X-User-Id'), 'user': req.headers.get('X-User-Id'),
'tenant': req.headers.get('X-Tenant-Id'), 'tenant': req.headers.get('X-Tenant-Id'),
@ -119,7 +128,7 @@ class ContextMiddleware(BaseContextMiddleware):
'owner_is_tenant': CONF.owner_is_tenant, 'owner_is_tenant': CONF.owner_is_tenant,
'service_catalog': service_catalog, 'service_catalog': service_catalog,
'policy_enforcer': self.policy_enforcer, 'policy_enforcer': self.policy_enforcer,
'request_id': req.headers.get('X-Openstack-Request-ID'), 'request_id': request_id,
} }
return glance.context.RequestContext(**kwargs) return glance.context.RequestContext(**kwargs)

2
glance/tests/unit/test_opts.py
View File

@ -81,6 +81,7 @@ class OptsTestCase(utils.BaseTestCase):
'enable_v3_api', 'enable_v3_api',
'enable_v1_registry', 'enable_v1_registry',
'enable_v2_registry', 'enable_v2_registry',
'max_request_id_length',
'pydev_worker_debug_host', 'pydev_worker_debug_host',
'pydev_worker_debug_port', 'pydev_worker_debug_port',
'metadata_encryption_key', 'metadata_encryption_key',
@ -169,6 +170,7 @@ class OptsTestCase(utils.BaseTestCase):
'enable_v1_registry', 'enable_v1_registry',
'enable_v2_registry', 'enable_v2_registry',
'pydev_worker_debug_host', 'pydev_worker_debug_host',
'max_request_id_length',
'pydev_worker_debug_port', 'pydev_worker_debug_port',
'metadata_encryption_key', 'metadata_encryption_key',
'bind_host', 'bind_host',