Here's an unhelpful comment. The OVA extraction task is extremely brittle and subject to several known attack vectors, as stated on the spec, which is a public document:
http://specs.openstack.org/openstack/glance-specs/specs/mitaka/implemented/ovf-lite.html#security-impact
The OVA extraction task should only be used by administrators and trusted users.
The xml-entity-expansion attack isn't mentioned in the spec, though.
Here's an unhelpful comment. The OVA extraction task is extremely brittle and subject to several known attack vectors, as stated on the spec, which is a public document:
http:// specs.openstack .org/openstack/ glance- specs/specs/ mitaka/ implemented/ ovf-lite. html#security- impact
The OVA extraction task should only be used by administrators and trusted users.
The xml-entity- expansion attack isn't mentioned in the spec, though.