From a92445e33d2cb27bc37a6db2fb736007fe7a7a16 Mon Sep 17 00:00:00 2001 From: Tim Potter Date: Tue, 29 Jan 2013 22:30:12 +1100 Subject: Disallow setting /0 for network other than 0.0.0.0 If something like 15.0.0.0/0 is set as an IP address range it ends up being identical to 0.0.0.0/0 (i.e all access) which I don't think is the intent of the user when they make the API call. Change-Id: I3fc05371f461112feae4f1097777fede5fc6b948 --- nova/api/openstack/compute/contrib/security_groups.py | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'nova/api') diff --git a/nova/api/openstack/compute/contrib/security_groups.py b/nova/api/openstack/compute/contrib/security_groups.py index a15c395ae..c49e7af70 100644 --- a/nova/api/openstack/compute/contrib/security_groups.py +++ b/nova/api/openstack/compute/contrib/security_groups.py @@ -30,6 +30,7 @@ from nova.compute import api as compute_api from nova import db from nova import exception from nova.openstack.common import log as logging +from nova.virt import netutils LOG = logging.getLogger(__name__) authorize = extensions.extension_authorizer('compute', 'security_groups') @@ -332,6 +333,12 @@ class SecurityGroupRulesController(SecurityGroupControllerBase): values['parent_group_id'] = security_group.id + if 'cidr' in values: + net, prefixlen = netutils.get_net_and_prefixlen(values['cidr']) + if net != '0.0.0.0' and prefixlen == '0': + msg = _("Bad prefix for network in cidr %s") % values['cidr'] + raise exc.HTTPBadRequest(explanation=msg) + if self.security_group_api.rule_exists(security_group, values): msg = _('This rule already exists in group %s') % parent_group_id raise exc.HTTPBadRequest(explanation=msg) -- cgit