Comment 23 for bug 1482371
Revision history for this message
| Stuart McLaren (stuart-mclaren) wrote Re: Image status can be changed by passing header 'x-image-meta-status' with PUT operation using v1 | #23 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
@Grant
Some tweaks:
"By submitting a HTTP PUT request with a 'x-image-
manipulate the status of public images without requiring administrative
privileges."
This isn't specific to public images. Also, the admin privilege is a bit of a red herring I think. Basically, standard users can only modify the state of images that they own (as Erno says above).
Maybe something like:
"By submitting a HTTP PUT request with a 'x-image-
manipulate the status of their images. In some cases this then allows replacing the image contents by reuploading them -- which should not be allowed as 'active' images are considered immutable."
"Only setups using the Glance v1 API are affected by this flaw."
"Only setups using the Glance v1 API allow the illegal modification of image status. Only setups which also use the v2 API may allow a subsequent re-upload of image contents."