Activity log for bug #1354512

Date Who What changed Old value New value Message
2014-08-08 15:57:08 Feodor Tersin bug added bug
2014-08-08 16:07:56 Tristan Cacqueray bug task added ossa
2014-08-08 16:08:02 Tristan Cacqueray ossa: status New Incomplete
2014-08-08 16:08:19 Tristan Cacqueray bug added subscriber Swift Core security contacts
2014-08-08 16:10:33 Tristan Cacqueray bug added subscriber Glance Core security contacts
2014-08-08 16:38:50 Alistair Coles bug added subscriber Alistair Coles
2014-08-09 15:13:34 Jeremy Stanley bug added subscriber OSSG CoreSec
2014-08-09 15:57:25 Feodor Tersin description When Glance uses Swift as backend, and Swift uses delay_auth_decision feature (for temporary urls, for example), anyone can download public images anonymously from Swift by direct url. Steps to reproduce: 1 Set delay_auth_decision = 1 in Swift's proxy-server.conf. Set default_store = swift swift_store_multi_tenant = True swift_store_create_container_on_put = True in Glance's glance-api.conf. 2 Create a public image. glance image-create --name fake_image --file <some_text_file_name> You may use a text file to reproduce the error for descriptive reasons. Use the got image id at the next step. 3 Download created image by curl. curl <swift_endpoint>/glance_<image_id>/<image_id> See your file in the output. If swift_store_container in your glance-api.conf is not 'glance', use appropriate prefix in the command above. Glance set read ACL to '.r:*,.rlistings' for all public images. Thus since anyone has access into Swift (by delay_auth_decision parameter), anyone can download a public image. When Glance uses Swift as backend, and Swift uses delay_auth_decision feature (for temporary urls, for example), anyone can download public images anonymously from Swift by direct url. Steps to reproduce: 1 Set     delay_auth_decision = 1 in Swift's proxy-server.conf. Set     default_store = swift     swift_store_multi_tenant = True     swift_store_create_container_on_put = True in Glance's glance-api.conf. 2 Create a public image.     glance image-create --name fake_image --file <some_text_file_name> --is-public True You may use a text file to reproduce the error for descriptive reasons. Use the got image id at the next step. 3 Download created image by curl.     curl <swift_endpoint>/glance_<image_id>/<image_id> See your file in the output. If swift_store_container in your glance-api.conf is not 'glance', use appropriate prefix in the command above. Glance set read ACL to '.r:*,.rlistings' for all public images. Thus since anyone has access into Swift (by delay_auth_decision parameter), anyone can download a public image.
2014-08-09 16:15:50 Feodor Tersin bug added subscriber Alexandre Levine
2014-08-09 16:39:56 Feodor Tersin bug added subscriber Andrey Pavlov
2014-08-09 18:43:30 Feodor Tersin bug added subscriber Cheyenne Bryant
2014-08-09 18:44:16 Feodor Tersin bug added subscriber Stephen Cole
2014-08-12 05:40:33 Stephen Cole bug added subscriber Marc Heckmann
2014-08-21 13:06:19 Thierry Carrez information type Private Security Public
2014-08-21 13:06:31 Thierry Carrez bug task added ossn
2014-08-21 13:06:39 Thierry Carrez ossa: status Incomplete Won't Fix
2014-08-29 23:27:04 N Dillon ossn: assignee N Dillon (sicarie)
2014-09-12 04:33:13 Nathan Kinder ossn: status New In Progress
2014-10-23 17:03:21 Nathan Kinder ossn: status In Progress Fix Released
2014-11-14 15:46:12 Nikhil Komawar glance: importance Undecided Critical
2014-11-14 15:48:36 Nikhil Komawar glance: assignee Stuart McLaren (stuart-mclaren)
2014-11-14 17:38:13 OpenStack Infra glance: status New Fix Committed
2014-11-18 15:08:54 Erno Kuvaja affects glance glance-store
2014-11-28 15:59:27 Louis Taylor glance-store: status Fix Committed Fix Released