[openstack-dev] [security] [api] Script injection issue

Tristan Cacqueray tdecacqu at redhat.com
Fri Nov 17 15:55:33 UTC 2017


On November 17, 2017 1:56 pm, Jeremy Stanley wrote:
> On 2017-11-17 12:47:34 +0000 (+0000), Luke Hinds wrote:
>> This will need the VMT's attention, so please raise as an issue on
>> launchpad and we can tag it as for the vmt members as a possible OSSA.
> [...]
> 
> Ugh, looks like someone split this thread, and I already replied to
> the original thread. In short, I don't think it's safe to assume we
> know what's going to be safe for different frontends and consuming
> applications, so trying to play whack-a-mole with various unsafe
> sequences at the API side puts the responsibility for safe filtering
> in the wrong place and can lead to lax measures in the software
> which should actually be taking on that responsibility.
> 
> Of course, I'm just one voice. Others on the VMT certainly might
> disagree with my opinion on this.

We had similar issues[0][1] in the past where we already draw the line
that it is the client responsibility to filter out API response.

Thus I agree with Jeremy, perhaps it is not ideal, but at least it
doesn't give a false sense of security if^Wwhen the server side
filtering let unpredicted malicious content through.

-Tristan

[0] https://launchpad.net/bugs/1486565
[1] https://launchpad.net/bugs/1649248
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20171117/5df11f64/attachment.sig>


More information about the OpenStack-dev mailing list