Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
[FIX] CloudStack: Values with wildcards will fail signature validation #846
Thanks to a small bug in the request signer the signature will be invalid for any request with any value containing a wildcard; it should be considered 'safe'.
This is identical to apache/cloudstack-cloudmonkey@38b68fb
@tonybaloney Thanks & we're running it in production already ;)
As I mentioned, the same bug surfaced in CloudMonkey (CloudStack's own API-driven CLI tool), and the fix was the same.
All API calls are signed & verified based on, amongst others, the encoded URL. This must apparently exclude HTML-encoding asterisks or the sig is invalid (as will the entire req be).
Of course it doesn't happen very often that a * is in the values, so that explains why this wasn't noticed for so long.