Comment 2 for bug 1545702
Revision history for this message
| Dan Smith (danms) wrote Re: Images v2 api metadef vulnerability | #2 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
I can confirm this locally in 2021 with a script to just create resources in a tight loop:
$ glance md-namespace-list | wc -l
2033
$ glance md-namespace-
1004
(and still going)
I don't see any knobs to limit this, nor anywhere in the code that we attempt to cap the number of these objects we allow to be created. AFAICT, the policy for these are all open to regular users by default, which is not good.
I don't have permissions to set the importance of this bug, but despite the fact that this is five years old at this point, I'd rate this as non-trivial in terms of priority.