[FIX] CloudStack: Values with wildcards will fail signature validation#846
[FIX] CloudStack: Values with wildcards will fail signature validation#846The-Loeki wants to merge 1 commit into
Conversation
Thanks to a small bug in the request signer the signature will be invalid for any request with any value containing a wildcard. Identical to apache/cloudstack-cloudmonkey@38b68fb
|
thanks @The-Loeki have you tested this? I don't really understand the issue but wondered if the string should be "" instead of "[]"? |
|
@tonybaloney Thanks & we're running it in production already ;) As I mentioned, the same bug surfaced in CloudMonkey (CloudStack's own API-driven CLI tool), and the fix was the same. All API calls are signed & verified based on, amongst others, the encoded URL. This must apparently exclude HTML-encoding asterisks or the sig is invalid (as will the entire req be). Of course it doesn't happen very often that a * is in the values, so that explains why this wasn't noticed for so long. |
|
ok, thats a strange bug. 👍 |
2 participants
Description
Thanks to a small bug in the request signer the signature will be invalid for any request with any value containing a wildcard; it should be considered 'safe'.
This is identical to apache/cloudstack-cloudmonkey@38b68fb
Status