GlanceException accepts arbitrary format strings
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
Triaged
|
Wishlist
|
Kent Wang |
Bug Description
GlanceException is implemented in such a way that the message argument to its __init__(), if passed unchecked user input when raising it or any basic subclass of it, creates an uncontrolled format string vulnerability. It is similar to the construction of NovaException and CinderException, but the way its conditional on the message argument is arranged relative to the string formatting routine differs enough to expose this risk where the other projects' implementations do not.
A safer alternative would be to migrate to subclassing OpenstackException from oslo-incubator, provide a predefined format string constant as the message parameter when subclassing, and have a different subclass per format string (Quantum's QuantumException provides a good example). This way the format string does not risk containing unchecked user input, since it cannot be passed directly when raising the exception.
This bug is not a security vulnerability, but does outline a security hardening improvement which can help avoid future vulnerabilities.
Changed in glance: | |
importance: | Undecided → Wishlist |
Changed in glance: | |
status: | New → Triaged |
Changed in glance: | |
assignee: | nobody → Kent Wang (k.wang) |