You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@cloudstack.apache.org by anshul1886 <gi...@git.apache.org> on 2016/12/26 06:44:36 UTC

[GitHub] cloudstack pull request #1865: CLOUDSTACK-9705: Unauthenticated API allows A...

GitHub user anshul1886 opened a pull request:

    https://github.com/apache/cloudstack/pull/1865

    CLOUDSTACK-9705: Unauthenticated API allows Admin password reset

     Now, Updating the password via UpdateUser API is not allowed via integration port

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/anshul1886/cloudstack-1 CLOUDSTACK-9705

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/cloudstack/pull/1865.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #1865
    
----
commit d206336e1a89d45162c95228ce3486b31d476504
Author: Anshul Gangwar <an...@accelerite.com>
Date:   2015-01-29T22:50:26Z

    CLOUDSTACK-9705: Unauthenticated API allows Admin password reset
     Now, Updating the password via UpdateUser API is not allowed via integration port

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack pull request #1865: CLOUDSTACK-9705: Unauthenticated API allows A...

Posted by koushik-das <gi...@git.apache.org>.

Github user koushik-das commented on a diff in the pull request:

    https://github.com/apache/cloudstack/pull/1865#discussion_r103875741
  
    --- Diff: server/src/com/cloud/api/ApiServer.java ---
    @@ -430,8 +433,27 @@ public void handle(final HttpRequest request, final HttpResponse response, final
                 if (!(responseType.equals(HttpUtils.RESPONSE_TYPE_JSON) || responseType.equals(HttpUtils.RESPONSE_TYPE_XML))) {
                     responseType = HttpUtils.RESPONSE_TYPE_XML;
                 }
    -
                 try {
    +                //verify that parameter is legit for passing via admin port
    --- End diff --
    
    Check if it makes sense to move this as a separate helper method. There are also other places in code that reads the annotation on the API commands and parameters. Check if some of them can be reused.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #1865: CLOUDSTACK-9705: Unauthenticated API allows Admin pa...

Posted by ramkatru <gi...@git.apache.org>.

Github user ramkatru commented on the issue:

    https://github.com/apache/cloudstack/pull/1865
  
    tag:mergeready


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #1865: CLOUDSTACK-9705: Unauthenticated API allows Admin pa...

Posted by koushik-das <gi...@git.apache.org>.

Github user koushik-das commented on the issue:

    https://github.com/apache/cloudstack/pull/1865
  
    Code changes LGTM


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #1865: CLOUDSTACK-9705: Unauthenticated API allows Admin pa...

Posted by koushik-das <gi...@git.apache.org>.

Github user koushik-das commented on the issue:

    https://github.com/apache/cloudstack/pull/1865
  
    @anshul1886 @karuturi Should this be treated as a security issue and fixed on priority?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #1865: CLOUDSTACK-9705: Unauthenticated API allows Admin pa...

Posted by cloudmonger <gi...@git.apache.org>.

Github user cloudmonger commented on the issue:

    https://github.com/apache/cloudstack/pull/1865
  
     ### ACS CI BVT Run
     **Sumarry:**
     Build Number 321
     Hypervisor xenserver
     NetworkType Advanced
     Passed=104
     Failed=0
     Skipped=7
    
    _Link to logs Folder (search by build_no):_ https://www.dropbox.com/sh/yj3wnzbceo9uef2/AAB6u-Iap-xztdm6jHX9SjPja?dl=0
    
    
    **Failed tests:**
    
    **Skipped tests:**
    test_01_test_vm_volume_snapshot
    test_vm_nic_adapter_vmxnet3
    test_static_role_account_acls
    test_11_ss_nfs_version_on_ssvm
    test_nested_virtualization_vmware
    test_3d_gpu_support
    test_deploy_vgpu_enabled_vm
    
    **Passed test suits:**
    test_deploy_vm_with_userdata.py
    test_affinity_groups_projects.py
    test_portable_publicip.py
    test_over_provisioning.py
    test_global_settings.py
    test_scale_vm.py
    test_service_offerings.py
    test_routers_iptables_default_policy.py
    test_loadbalance.py
    test_routers.py
    test_reset_vm_on_reboot.py
    test_deploy_vms_with_varied_deploymentplanners.py
    test_network.py
    test_router_dns.py
    test_non_contigiousvlan.py
    test_login.py
    test_deploy_vm_iso.py
    test_list_ids_parameter.py
    test_public_ip_range.py
    test_multipleips_per_nic.py
    test_regions.py
    test_affinity_groups.py
    test_network_acl.py
    test_pvlan.py
    test_volumes.py
    test_nic.py
    test_deploy_vm_root_resize.py
    test_resource_detail.py
    test_secondary_storage.py
    test_vm_life_cycle.py
    test_routers_network_ops.py
    test_disk_offerings.py


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] cloudstack issue #1865: CLOUDSTACK-9705: Unauthenticated API allows Admin pa...

Posted by anshul1886 <gi...@git.apache.org>.

Github user anshul1886 commented on the issue:

    https://github.com/apache/cloudstack/pull/1865
  
    @koushik-das, This method is there so that it only gets called when the call is made through 8096 port. Other parameters processing is done at common place. 


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---