diff options
| author | Ed Tanous <edtanous@google.com> | 2022-04-26 20:20:25 +0300 |
|---|---|---|
| committer | Ed Tanous <ed@tanous.net> | 2022-04-28 20:55:32 +0300 |
| commit | 5e52870bbadc7e35ff47325ffa668a6b82bf9c4a (patch) | |
| tree | 53f2050ca3c48ff1157c9f0f8d4cddda09926f8b /meson_options.txt | |
| parent | 3d768a165183dd8cf7e485ac67ab7270845d5f87 (diff) | |
| download | bmcweb-5e52870bbadc7e35ff47325ffa668a6b82bf9c4a.tar.xz | |
Make insecure-enable-redfish-query more specific
insecure-enable-redfish-query is really only intended to protect the
user from things that might run the system out of resources, like
expand, or complex filter queries (ie queries that might pop the
stack). This commit message moves the location where the parameters are
enabled/disabled into the parser itself, such that some parameters (like
top and skip in the next commit) can be executed outside of this option
flag.
Because of moving the expand support deeper in the call stack, some unit
tests now need to be aware of whether or not expand is supported in the
configuration.
Tested:
Enabled query option through local.conf with
EXTRA_OEMESON:pn-bmcweb:append =
"-Dinsecure-enable-redfish-query='enabled'"
Then did:
curl --insecure --user root:0penBmc https://192.168.7.2/redfish/v1\?\$expand\=\*
Query expanded as expected;
set insecure-enable-redfish-query='disabled'
and observed that the same curl query returned
QueryParameterValueFormatError, which is expected.
Signed-off-by: Ed Tanous <edtanous@google.com>
Change-Id: I24fbc2c9f64628d6457dd117b61ff22b276b0682
Diffstat (limited to 'meson_options.txt')
| -rw-r--r-- | meson_options.txt | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/meson_options.txt b/meson_options.txt index 5b4419d0e7..6bdb615be9 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -44,4 +44,4 @@ option ('insecure-disable-auth', type : 'feature', value : 'disabled', descripti option ('insecure-disable-xss', type : 'feature', value : 'disabled', description : 'Disable XSS preventions') option ('insecure-tftp-update', type : 'feature', value : 'disabled', description : '''Enable TFTP based firmware update transactions through Redfish UpdateService.SimpleUpdate.''') option ('insecure-push-style-notification',type : 'feature', value : 'disabled', description : 'Enable HTTP push style eventing feature') -option ('insecure-enable-redfish-query', type : 'feature', value : 'disabled', description : 'Enables Redfish query parameters. This feature is experimental, and has not been tested against the full limits of user-facing behavior. It is not recommended to enable on production systems at this time.') +option ('insecure-enable-redfish-query', type : 'feature', value : 'disabled', description : 'Enables Redfish expand query parameter. This feature is experimental, and has not been tested against the full limits of user-facing behavior. It is not recommended to enable on production systems at this time. Other query parameters such as only are not controlled by this option.') |