On Thu, Jun 19, 2014 at 1:37 PM, Clint Byrum <clint at fewbar.com> wrote: > A large majority of the failures I've seen OSSG report have been privilege > escalation in each service.. Trusts not scoping down properly, quotas > not being applied, or cross-project/tenant boundaries not being honored. > > I don't think we've had many (if any) SQL or shell injection attacks or > buffer overflows or anything like that. We're all pretty well trained to > spot these issues and python makes you have to try pretty hard to > implement some of them. > > There was a shell injection attack recently, "Remote Code Execution in Sheepdog backend"[1], and there have been other issues with trusting input/escaping too: "www-authenticate value isn't quoted"[2] and "XSS in Horizon-Orchestration"[3]. [1] https://bugs.launchpad.net/ossa/+bug/1298698 [2] https://bugs.launchpad.net/ossa/+bug/1327414 [3] https://bugs.launchpad.net/ossa/+bug/1289033 - Brant -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140619/79b3d392/attachment.html>