[dev][security-sig] Revisiting tarfile, or "What's old is new again"

Dan Smith dms at danplanet.com
Thu Sep 22 17:01:53 UTC 2022


> I encourage anyone using tarfile in their projects to double-check
> you're doing so safely[2].

I looked at Nova and Glance this morning and I think we're good. The
only use in nova is in the vmwareapi driver, which does use tarfile to
pull out a vmdk file, but it does so in memory and streams it direct to
vmfs without extracting it to the local disk. Glance's only use is in
the ova processing, which extracts the ovf and disk image from the
tarfile, but it processes the ovf in memory and then streams the disk
image to a uuid-based-name file on disk.

So I think those are okay at least, although I'm happy for others to
check my work of course.

--Dan



More information about the openstack-discuss mailing list