glance_store

http driver ignores query part of URI in redirects.

Bug #1633860 reported by Willy De la Court on 2016-10-16

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	glance_store	Fix Released	Medium	Pavlo Shchelokovskyy	glance_store 0.21.0 "pike-1"

Bug Description

I tried to get this image.

https://github.com/rancher/os/releases/download/v0.6.1/rancheros-openstack.img

which redirects to

https://github-cloud.s3.amazonaws.com/releases/28796010/3ce1629e-7795-11e6-81d5-8a2543bbba25.img?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAISTNZFOVBIJMK3TQ%2F20161016%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20161016T130831Z&X-Amz-Expires=300&X-Amz-Signature=2597e3a114de5b6596014aa924866a5cfc8de951d1dc754dc6db5715f02f0d40&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3Drancheros-openstack.img&response-content-type=application%2Foctet-stream

but the http driver ignores the query part and this generates a "403 Access Denied" from amazonaws.

Tags:

Revision history for this message

Ian Cordasco (icordasc) wrote on 2017-01-27:

So, it's not clear why, but the Location class for the HTTP store driver specifically deconstructs the URI and then reconstructs it without a using all the parts of the parsed URI. This may be an attempt at security hardening, but it may also just be an omission. That much is not clear to me in the slightest. (Honestly, I can't imagine what the security impact of including query parameters after a redirect would be, but I'm not the most imaginative person.)

Changed in glance-store:
status:	New → Triaged
importance:	Undecided → Medium
tags:	added: http
Changed in glance-store:
milestone:	none → 0.21.0
tags:	added: ocata-backport-potential

Revision history for this message

Pavlo Shchelokovskyy (pshchelo) wrote on 2021-02-23:

currently we see the same behaviour even with cirros images (which are now hosted on github releases, which itself are stored in AWS):

repro on DevStack master:

- setup Horizon with support for uploading images via URL and direct uploads - in the local_settings.py add
HORIZON_IMAGES_UPLOAD_MODE = 'direct'
IMAGES_ALLOW_LOCATION = True

Setup glance with cors to allow direct uploads and show_multiple_locations=True

Try to upload a cirris image via Horizon by url, e.g http://download.cirros-cloud.net/0.3.4/cirros-0.3.4-x86_64-disk.img

Actual result: 400 Bad Request: The Store URI was malformed. (HTTP 400), image left in queueing state

When trying with curl the actual sequence of redirects is the following:

$ curl -Lv http://download.cirros-cloud.net/0.3.4/cirros-0.3.4-x86_64-disk.img
...
< HTTP/1.1 302 Found
< Date: Tue, 23 Feb 2021 10:32:04 GMT
< Server: Apache
< Location: https://github.com/cirros-dev/cirros/releases/download/0.3.4/cirros-0.3.4-x86_64-disk.img
...
< HTTP/2 302
< server: GitHub.com
< date: Tue, 23 Feb 2021 10:29:56 GMT
< content-type: text/html; charset=utf-8
< vary: X-PJAX, Accept-Encoding, Accept, X-Requested-With
< location: https://github-releases.githubusercontent.com/219785102/e41baf80-4120-11ea-8591-3a2c8739c5a3?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20210223%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210223T102956Z&X-Amz-Expires=300&X-Amz-Signature=a6777d8cab4cf95bef78a09ce4bc85c2bd5b651d2b8ea6ee81430685e41942f3&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=219785102&response-content-disposition=attachment%3B%20filename%3Dcirros-0.3.4-x86_64-disk.img&response-content-type=application%2Foctet-stream
...

Revision history for this message

Pavlo Shchelokovskyy (pshchelo) wrote on 2021-02-23:

patch is proposed here

https://review.opendev.org/c/openstack/glance_store/+/777138

Changed in glance-store:
status:	Triaged → In Progress
assignee:	nobody → Pavlo Shchelokovskyy (pshchelo)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-08-11: Fix merged to glance_store (master)

Reviewed: https://review.opendev.org/c/openstack/glance_store/+/777138
Committed: https://opendev.org/openstack/glance_store/commit/951a9f535e18571d82f1dbe30e94740601f84ffe
Submitter: "Zuul (22348)"
Branch: master

commit 951a9f535e18571d82f1dbe30e94740601f84ffe
Author: Pavlo Shchelokovskyy <email address hidden>
Date: Tue Feb 23 14:16:37 2021 +0000

Do not loose url queries on redirects

    when fetching images with http driver, the redirect URL can have
    mandatory query in it, which must be kept intact to successfully
    fetch the image.

Change-Id: I2a9d4d026b935ea6c5e5a3a46c86f70ce1e39ae7
Closes-Bug: #1633860