Comment 79 for bug 1546507

Brian, Cinder store is also vulnerable to this expoloit, when it is configured to store image volumes in the shared internal tenant. (It has another mode to store the volumes in user's tenant, it is not vulnerable because other tenant users cannot touch the image volume).

And, Cinder store uses an url like 'cinder://<cinder-volume-uuid>' which does not include image-uuid, so the current proposed patch does not solve the issue. The image volumes stored in the shared internal tenant has the owner information in volume metadata, so we need to check if the volume is owned by the current user before adding its location to an image.
The attached patch does the check.