[OSSA 2013-007] v1 api returns location as header for cached images
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
Fix Released
|
High
|
Stuart McLaren | ||
Essex |
Fix Committed
|
High
|
Stuart McLaren | ||
Folsom |
Fix Released
|
High
|
Stuart McLaren | ||
Grizzly |
Fix Released
|
High
|
Stuart McLaren | ||
OpenStack Security Advisory |
Fix Released
|
Undecided
|
Thierry Carrez |
Bug Description
When an image which is not in cache is downloaded:
rm /opt/stack/
The headers don't contain the backend 'location' field:
T 10.6.51.191:9292 -> 10.6.51.191:52150 [AP]
HTTP/1.1 200 OK.
Content-Type: application/
X-Image-Meta-Id: 2e877e45-
X-Image-
X-Image-
X-Image-
X-Image-
X-Image-
X-Image-
X-Image-Meta-Size: 332.
X-Image-
X-Image-
X-Image-
X-Image-
X-Image-
X-Image-
X-Image-Meta-Name: Image1.
Location: http://
Etag: ccad32d005750c1
X-Openstack-
Date: Thu, 28 Feb 2013 10:23:06 GMT.
Transfer-Encoding: chunked.
.
14c.
But if the image is cached:
glance --os-image-
the backend location field (with credentials) is returned as a header:
T 10.6.51.191:9292 -> 10.6.51.191:51954 [AP]
HTTP/1.1 200 OK.
Content-Length: 332.
Content-Type: application/
X-Image-Meta-Id: 2e877e45-
X-Image-
X-Image-
X-Image-
X-Image-
X-Image-
X-Image-
X-Image-Meta-Size: 332.
X-Image-
X-Image-
X-Image-
X-Image-
X-Image-
X-Image-
X-Image-
X-Image-Meta-Name: Image1.
Location: http://
Etag: ccad32d005750c1
X-Openstack-
Date: Thu, 28 Feb 2013 10:22:15 GMT.
.
A possible fix for this:
$ git diff glance/
diff --git a/glance/
index 4b62946..fadc888 100644
--- a/glance/
+++ b/glance/
@@ -933,6 +933,9 @@ class ImageSerializer
def _inject_
+ # Remove original location for security reasons
+ if 'location' in image_meta:
+ del image_meta[
location = self._get_
Related branches
CVE References
Changed in glance: | |
milestone: | none → grizzly-rc1 |
status: | New → Triaged |
importance: | Undecided → Critical |
Changed in glance: | |
status: | In Progress → Confirmed |
information type: | Private Security → Public Security |
Changed in glance: | |
status: | Fix Committed → Fix Released |
Changed in ossa: | |
assignee: | nobody → Thierry Carrez (ttx) |
status: | New → Fix Released |
summary: |
- v1 api returns location as header for cached images + [OSSA 2013-007] v1 api returns location as header for cached images |
Or to additionally handle the case where the response header's x-image- meta-location filed
has been populated:
$ git diff glance/ api/v1/ images. py api/v1/ images. py b/glance/ api/v1/ images. py api/v1/ images. py api/v1/ images. py (wsgi.JSONRespo nseSerializer) :
self. notifier = notifier.Notifier()
diff --git a/glance/
index 7068820..3e8741c 100644
--- a/glance/
+++ b/glance/
@@ -947,6 +947,10 @@ class ImageSerializer
def _inject_ location_ header( self, response, image_meta): 'location' ] meta-location' in response.headers: headers[ 'x-image- meta-location' ] image_location( image_meta)
response. headers[ 'Location' ] = location. encode( 'utf-8' )
+ if 'location' in image_meta:
+ del image_meta[
+ if 'x-image-
+ del response.
location = self._get_