Anonymous user can download public image through Swift
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
OpenStack Security Notes |
Fix Released
|
Undecided
|
N Dillon | ||
glance_store |
Fix Released
|
Critical
|
Stuart McLaren |
Bug Description
When Glance uses Swift as backend, and Swift uses delay_auth_decision feature (for temporary urls, for example), anyone can download public images anonymously from Swift by direct url.
Steps to reproduce:
1 Set
delay_
in Swift's proxy-server.conf.
Set
default_store = swift
swift_
swift_
in Glance's glance-api.conf.
2 Create a public image.
glance image-create --name fake_image --file <some_text_
You may use a text file to reproduce the error for descriptive reasons.
Use the got image id at the next step.
3 Download created image by curl.
curl <swift_
See your file in the output.
If swift_store_
Glance set read ACL to '.r:*,.rlistings' for all public images. Thus since anyone has access into Swift (by delay_auth_decision parameter), anyone can download a public image.
description: | updated |
information type: | Private Security → Public |
Changed in ossa: | |
status: | Incomplete → Won't Fix |
Changed in ossn: | |
assignee: | nobody → N Dillon (sicarie) |
Changed in ossn: | |
status: | New → In Progress |
Changed in glance: | |
importance: | Undecided → Critical |
assignee: | nobody → Stuart McLaren (stuart-mclaren) |
Thanks for the report, the OSSA task is set to incomplete pending additional detail from swift-coresec.