Check object metadata constraints after authorizing

In the object proxy controller, the POST method checked the metadata of an object before calling swift.authorize. This could allow an auth middleware to set metadata that violates constraints. Instead, checking the metadata should take place after authorization. Change-Id: I5f05039498c406473952e78c6a40ec11e8b53f8e Closes-Bug: #1596944
2016-07-13 19:09:39 +00:00 · 2016-07-13 19:09:39 +00:00 · aa2a84ba8a
commit aa2a84ba8a
parent d6c3f6d554
2 changed files with 22 additions and 3 deletions
--- a/swift/proxy/controllers/obj.py
+++ b/swift/proxy/controllers/obj.py
@ -212,9 +212,6 @@ class BaseObjectController(Controller):
    @delay_denial
    def POST(self, req):
        """HTTP POST request handler."""
-        error_response = check_metadata(req, 'object')
-        if error_response:
-            return error_response
        container_info = self.container_info(
            self.account_name, self.container_name, req)
        container_partition = container_info['partition']
@ -226,6 +223,9 @@ class BaseObjectController(Controller):
                return aresp
        if not containers:
            return HTTPNotFound(request=req)
+        error_response = check_metadata(req, 'object')
+        if error_response:
+            return error_response

        req, delete_at_container, delete_at_part, \
            delete_at_nodes = self._config_obj_expiration(req)
--- a/test/unit/proxy/test_server.py
+++ b/test/unit/proxy/test_server.py
@ -3418,6 +3418,25 @@ class TestObjectController(unittest.TestCase):
            res = req.get_response(self.app)
            self.assertEqual(res.status_int, 400)

+    def test_POST_meta_authorize(self):
+        def authorize(req):
+            req.headers['X-Object-Meta-Foo'] = 'x' * (limit + 1)
+            return
+        with save_globals():
+            limit = constraints.MAX_META_VALUE_LENGTH
+            self.app.object_post_as_copy = False
+            controller = ReplicatedObjectController(
+                self.app, 'account', 'container', 'object')
+            set_http_connect(200, 200, 202, 202, 202)
+            #                acct cont obj  obj  obj
+            req = Request.blank('/v1/a/c/o', {'REQUEST_METHOD': 'POST'},
+                                headers={'Content-Type': 'foo/bar',
+                                         'X-Object-Meta-Foo': 'x'})
+            req.environ['swift.authorize'] = authorize
+            self.app.update_request(req)
+            res = controller.POST(req)
+            self.assertEqual(res.status_int, 400)
+
    def test_POST_meta_key_len(self):
        with save_globals():
            limit = constraints.MAX_META_NAME_LENGTH