[openstack-dev] [nova][neutron] How do you use the instance IP filter?
mriedemos at gmail.com
Sat Oct 28 02:00:30 UTC 2017
On 10/26/2017 10:56 PM, Joshua Harlow wrote:
> Just the paranoid person in me, but is it safe to say that the filter
> that you are showing here does not come from user text?
> Ie these two lines don't come from a user input directly (without going
> through some filter) do they?
> From reading it seems like perhaps they do come at least partially from
> a user, so I am hoping that its not possible for a user to present a
> 'ip' that is really a complicated regex that takes a long time to
> compile (and therefore can DOS the nova-api component); but I don't know
> the surrounding code so I might be wrong...
> Just wondering :-/
We have schema validation on the ip filter but it's just checking that
it can actually compile it:
So yeah, probably a potential problem like you pointed out.
More information about the OpenStack-dev