Shell injection possibility in cmd/control.py
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
Fix Released
|
Undecided
|
Travis McPeak | ||
OpenStack Security Advisory |
Invalid
|
Undecided
|
Unassigned |
Bug Description
The glance/
This may not be a major security concern at this time because the only place that I found for 'server' to come from is a Glance configuration file, which should be locked down. Only privileged users should have write access to the config file, and if they want to do bad things on the system there are easier ways.
Still, 'shell=True' appears to be completely unnecessary for this call. Simply omitting the shell parameter here will cause it to revert to the default behavior, which requires that the command to be run be specified in a separate parameter than the arguments to the command. This effectively prevents shell injection vulnerabilities.
information type: | Private Security → Public |
Changed in ossa: | |
status: | Incomplete → Invalid |
tags: | added: security |
Changed in glance: | |
assignee: | nobody → Travis McPeak (travis-mcpeak) |
status: | New → In Progress |
Changed in glance: | |
milestone: | none → juno-2 |
status: | Fix Committed → Fix Released |
Changed in glance: | |
milestone: | juno-2 → 2014.2 |
I've discussed this with Travis, and I don't think that it is a vulnerability given that the person who can inject shell commands is the admin who has write access to the glance config file. On my system, write access is locked down to the "glance" user, which is the same user that the process runs as.