Open Stack

Adding this to glanceclient is probably acceptable since the worst abuse of it would be to disrupt a user's local machine until they terminated the process, but adding this to Horizon is a no-go.

Django removed the "verify_exists" option from URLField in Django 1.5 for very good reasons. Here's the release notes summary:

"django.db.models.fields.URLField.verify_exists will be removed. The feature was deprecated in 1.3.1 due to intractable security and performance issues and will follow a slightly accelerated deprecation timeframe."

Note that "intractable security issues" bit. Doing this type of validation server-side opens you up to some nasty DoS attacks and simply shouldn't be done.

If you have further questions, I recommend talking to Paul McMillan, who was the original reporter of the security issues with "verify_exists" in Django.

All the best,


-          Gabriel

From: Victor Joel Morales Ruvalcaba [mailto:chipahuac at hotmail.com]
Sent: Monday, January 20, 2014 9:44 AM
To: openstack-dev at lists.openstack.org
Subject: [openstack-dev] Can somebody help me to determine if an URL validation in python-glanceclient & horizon projects is safe

I'm implementing an URL validation that checks if the external location value provided exists and if it's reachable.  To achieve that I'm using the method urlopen of six.moves.urllib.request module which it seems similar like to the deprecated django's method of verify_exists.  I'm wondering if I can proceed with the current implementation or if there's a way to implement those validations

https://review.openstack.org/#/c/64295/
https://review.openstack.org/#/c/64312/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140120/fc8b21eb/attachment.html>