There's a security issue where it'd be possible to import images with
backed files using the task engine and then use/convert those to access
system files or any other file in the system. An example of an attack
would be to import an image with a backing file pointing to
`/etc/passwd`, then convert it to raw and download the generated image.
This patch forbids importing files with baking files entirely. It does
that in the `_ImportToFS` task, which is the one that imports the image
locally to then execute other tasks on it. It's not necessary for the
`_ImportToStore` task because other tasks won't be executed when the
image is imported in the final store.
Change-Id: I35f43c3b3f326942fb53b7dadb94700ac4513494
Closes-bug: #1471912
(cherry picked from commit d529863a1e8d2307526bdb395b4aebe97f81603d)
Reviewed: https:/ /review. openstack. org/212568 /git.openstack. org/cgit/ openstack/ glance/ commit/ ?id=eb99e45829a 1b4c93db5692bdb f636a86faa56c4
Committed: https:/
Submitter: Jenkins
Branch: stable/kilo
commit eb99e45829a1b4c 93db5692bdbf636 a86faa56c4
Author: Flavio Percoco <email address hidden>
Date: Thu Jul 9 14:44:04 2015 +0200
Don't import files with backed files
There's a security issue where it'd be possible to import images with
backed files using the task engine and then use/convert those to access
system files or any other file in the system. An example of an attack
would be to import an image with a backing file pointing to
`/etc/passwd`, then convert it to raw and download the generated image.
This patch forbids importing files with baking files entirely. It does tore` task because other tasks won't be executed when the
that in the `_ImportToFS` task, which is the one that imports the image
locally to then execute other tasks on it. It's not necessary for the
`_ImportToS
image is imported in the final store.
Change-Id: I35f43c3b3f3269 42fb53b7dadb947 00ac4513494 7526bdb395b4aeb e97f81603d)
Closes-bug: #1471912
(cherry picked from commit d529863a1e8d230