Refactor #3303
closed
v2.py: Accept header handling is sketchy
100%
Description
Docker engines typically present more than one Accept: header (usually three).
While they are three different lines in the HTTP header, they typically get combined as a single value, comma-separated.
Crane has a bunch of if/then/else logic that looks like:
accept_headers = request.headers.get('Accept')
schema2_mediatype = 'application/vnd.docker.distribution.manifest.v2+json'
manifest_list_mediatype = 'application/vnd.docker.distribution.manifest.list.v2+json'
if manifest_list_mediatype in accept_headers ...:
...
That is essentially the equivalent of evaluating:
"val1" in "val1, val2, val3"
and boils down to string matching.
I find it dangerous, because "val" in "val1, val2, val3" is also True.
It just so happens that the Docker engine is civilized enough to present the right values.
A much better solution would be something like:
accept_headers = accept_headers.split(",") if accept_headers else []
accept_headers = set(x.strip() for x in accept_headers)
Updated by mihai.ibanescu@gmail.com about 5 years ago
Updated by mihai.ibanescu@gmail.com about 5 years ago
- Description updated (diff)
Updated by dkliban@redhat.com about 5 years ago
- Status changed from NEW to POST
- Assignee set to mihai.ibanescu@gmail.com
Updated by dalley about 5 years ago
- Tracker changed from Issue to Refactor
- % Done set to 0
Added by Mihai Ibanescu about 5 years ago
Updated by Anonymous about 5 years ago
- Status changed from POST to MODIFIED
- % Done changed from 0 to 100
Applied in changeset cf972a363b8c25323a1e53c831749537268f0a3a.
Added by Mihai Ibanescu about 5 years ago
Safer handling of Accept headers
closes #3303 https://pulp.plan.io/issues/3303
(cherry picked from commit cf972a363b8c25323a1e53c831749537268f0a3a)
Updated by pcreech about 5 years ago
- Status changed from 5 to CLOSED - CURRENTRELEASE
.
Safer handling of Accept headers
closes #3303 https://pulp.plan.io/issues/3303