using glance v2 api does not remove temporary files

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

@horizon-coresec, can you check this report please?
Is the TemporaryUploadedFile the default behavior for Horizon deployment?

In keeping with recent OpenStack vulnerability management policy changes, no report should remain under private embargo for more than 90 days. Because this report predates the change in policy, the deadline for public disclosure is being set to 90 days from today. If the report is not resolved within the next 90 days, it will revert to our public workflow as of 2020-05-27. Please see http://lists.openstack.org/pipermail/openstack-discuss/2020-February/012721.html for further details.

It doesn't look like this report has seen any activity since my update two months ago, so consider this a friendly reminder:

The embargo for this report is due to expire one month from today, on May 27, and will be switched public on or shortly after that day if it is not already resolved sooner.

Thanks!

The embargo for this report has expired and is now lifted, so it's acceptable to discuss further in public.

hi, I tried to reproduce this bug on the master branch but not succeed.
I think it is already fixed by [1].
So when you try to create an image using django(leagcy) way, it will create a
temporary file which will be deleted once the upload is completed[2].

[1] https://review.opendev.org/c/openstack/horizon/+/703632
[2] https://github.com/openstack/horizon/blob/master/openstack_dashboard/api/glance.py#L517

If you still face the same issue, please add more steps to reproduce it.

The indicated fix merged during the Ussuri development cycle, so in theory this bug should be valid only for stable/train and older branches. Given stable/train is scheduled to enter extended maintenance phase tomorrow, there is no opportunity to backport the fix to it and issue a point release at this stage. The fix could still be backported under extended maintenance if someone is interested in working on that, but there would be no point in issuing a security advisory for it because it will never appear in a point release for that series. As such, I'm marking our security advisory task won't fix to reflect this.

[Expired for OpenStack Dashboard (Horizon) because there has been no activity for 60 days.]