Glance

Users can set arbitrary headers by adding newlines to header values

Bug #1297414 reported by Nicolas Simonds on 2014-03-25

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Glance	Won't Fix	Undecided	Nicolas Simonds
	Glance Client	Fix Released	Undecided	Nicolas Simonds

Bug Description

Glance and the python-glanceclient (v1) do not armor/sanitize their inputs when assembling headers. In particular, "x-image-meta-property-description" is exposed via interfaces like Horizon (which still uses v1) as a free-form text field, (Unicode, newlines, etc. allowed) and if users introduce newlines, the glanceclient will POST them to Glance verbatim without any extra encoding, which means maliciously/incompetently constructed Description: values can set header values that the client otherwise would not.

I can't really see anything in the code that uses HTTP headers to set any sort of security context, but this could just be a lack of imagination on my part.

Nicolas Simonds (nicolas.simonds) on 2014-03-25

information type:

Private Security → Public

Nicolas Simonds (nicolas.simonds) on 2014-03-25

Changed in glance:
assignee:	nobody → Nicolas Simonds (nicolas.simonds)
Changed in python-glanceclient:
assignee:	nobody → Nicolas Simonds (nicolas.simonds)

Revision history for this message

Nicolas Simonds (nicolas.simonds) wrote on 2014-03-25:

The more common manifestation of this bug is that users put newlines in their Description: values and break image uploads.

Revision history for this message

Nicolas Simonds (nicolas.simonds) wrote on 2014-03-25:

Weird. I thought LaunchpadSync was supposed to do this for me:

https://review.openstack.org/82882
https://review.openstack.org/82884

OpenStack Infra (hudson-openstack) on 2014-04-13

Changed in python-glanceclient:
status:	New → In Progress

Revision history for this message

Matt Riedemann (mriedem) wrote on 2014-09-30:

Is this still an issue? The patch is obviously abandoned.

Revision history for this message

Nicolas Simonds (nicolas.simonds) wrote on 2014-09-30:

It's still an issue, which may not be addressed in the v1 API, since it would break the contract.

There's a related Horizon bug that is caused by this, with a workaround pending:

https://bugs.launchpad.net/horizon/+bug/1370732

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-07: Change abandoned on glance (master)

Change abandoned by Nicolas Simonds (<email address hidden>) on branch: master
Review: https://review.openstack.org/82884
Reason: When we deployed this to production, this ended up causing weird edge-cases (and the attendant support tickets) when clients would invent their own methods for ingesting the API data that didn't involve encoding/decoding the entities.

Since we cannot by definition control how clients use the APIs, we've rolled this back internally in lieu of making the applications provide sensible input to the APIs, and considering any case where that does not happen a bug.

Abandoning change.

Ian Cordasco (icordasc) on 2015-01-30

Changed in python-glanceclient:
status:	In Progress → New

Revision history for this message

Ian Cordasco (icordasc) wrote on 2017-01-31:

The underlying HTTP transport for glanceclient no longer allows users to send or receive headers like this. This is fixed in newer versions of glanceclient which rely on those newer versions of requests.

Changed in python-glanceclient:
status:	New → Fix Released
Changed in glance:
status:	New → Won't Fix

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.