glance client allows override of header fields
Bug #1023892 reported by
Lars Gellrich
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
Fix Released
|
Wishlist
|
Lars Gellrich |
Bug Description
Hi,
looking at the glance client code I noticed that it allows to add additional header fields via the features parameter during image upload/update
So far so good, but there is no check on these additional header fields in the utility function
glance/
Therefore one could replace any header field, since the call to the utility function is made after the metadata got added to the header.
I would suggest the following adjustments:
1. only add a header field if it's not present
2. limit the features to a list of "allowed" features like:
x-glance-
x-glance-
...
Changed in glance: | |
status: | New → Confirmed |
importance: | Undecided → Medium |
Changed in glance: | |
milestone: | none → folsom-3 |
status: | Fix Committed → Fix Released |
Changed in glance: | |
milestone: | folsom-3 → 2012.2 |
To post a comment you must log in.
We could add some more checking, but is this really a bug? What is the negative impact of allowing 'features' to be free-form?