Use of eval in /cinder/volume/drivers/emc/emc_vmax_fc.py has potential security issue
Bug #1368013 reported by
Zhang Yun
This bug report is a duplicate of:
Bug #1366990: Un-sanitized eval statement in EMC volume driver.
Edit
Remove
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
New
|
Undecided
|
Unassigned | ||
OpenStack Security Advisory |
Incomplete
|
Undecided
|
Unassigned |
Bug Description
Who could give more explanation here for what the use of eval and where the input comes from, please help make sure the use is safe. If it is coming from a user then it is a security vulnerability.
Anyone can add some comments to the code saying what it is doing?
The same concern occurred in /cinder/
loc = volume[
if isinstance(loc, six.string_types):
name = eval(loc) ------------------> This line has described issue
instancename = self.utils.
name['classname'], name['keybindin
information type: | Private Security → Public Security |
description: | updated |
To post a comment you must log in.
I'm pretty sure this string is not user-provided, but will wait for Cinder dev's analysis.