File CVE-2022-3100.patch of Package openstack-barbican

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2022-3100.patch of Package openstack-barbican

From 6112c302375bf3d4c27303d12beec52ce2a82a2b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Douglas=20Mendiz=C3=A1bal?= <dmendiza@redhat.com>
Date: Tue, 30 Aug 2022 14:58:00 -0500
Subject: [PATCH] Fix Story 2010258 (CVE-2022-3100)

This patch fixes a security vunlerability where the contents of a
request query string were mistakenly being used in the RBAC policy
engine.

Change-Id: I5797988e4c63c75fccf85277c52815d9bf684cff
---
 barbican/api/controllers/__init__.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/barbican/api/controllers/__init__.py b/barbican/api/controllers/__init__.py
index e5db8cbf4..e944d3bd6 100644
--- a/barbican/api/controllers/__init__.py
+++ b/barbican/api/controllers/__init__.py
@@ -65,7 +65,6 @@ def _do_enforce_rbac(inst, req, action_name, ctx, **kwargs):
         if target_name and target_data:
             policy_dict['target'] = {target_name: target_data}
 
-        policy_dict.update(kwargs)
         # Enforce access controls.
         if ctx.policy_enforcer:
             ctx.policy_enforcer.enforce(action_name, flatten(policy_dict),

Places

File CVE-2022-3100.patch of Package openstack-barbican

Places