osdir.com


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Openstack-security] [Bug 1850273] Re: Updating any cinder quota for non-existent project works


*** This bug is a duplicate of bug 1307491 ***
    https://bugs.launchpad.net/bugs/1307491

** This bug has been marked a duplicate of bug 1307491
   quota-update should error out if input provided is non-existent tenant id

-- 
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1850273

Title:
  Updating any cinder quota for non-existent project works

Status in Cinder:
  New
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  When we try to update a cinder quota for a non-existent project, we
  get a 200ok response. The non-existent project doesn't get created,
  but am entry for this project in the quotas table of cinder is made.

   PUT /volume/v3/<proj-id>/os-quota-sets/<non-existent proj-id>

  Looks like project validation check is missing in the cinder quota
  update flow.

  Due to this flaw, multiple PUT calls on fake project ids might result
  in filling of quota tables very fast & can be considered a type of DOS
  attack.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1850273/+subscriptions