[openstack-dev] [security] [api] Script injection issue

Jeremy Stanley fungi at yuggoth.org
Fri Nov 17 13:56:17 UTC 2017


On 2017-11-17 12:47:34 +0000 (+0000), Luke Hinds wrote:
> This will need the VMT's attention, so please raise as an issue on
> launchpad and we can tag it as for the vmt members as a possible OSSA.
[...]

Ugh, looks like someone split this thread, and I already replied to
the original thread. In short, I don't think it's safe to assume we
know what's going to be safe for different frontends and consuming
applications, so trying to play whack-a-mole with various unsafe
sequences at the API side puts the responsibility for safe filtering
in the wrong place and can lead to lax measures in the software
which should actually be taking on that responsibility.

Of course, I'm just one voice. Others on the VMT certainly might
disagree with my opinion on this.
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: Digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20171117/da0bb73e/attachment.sig>


More information about the OpenStack-dev mailing list