OpenStack Image Registry and Delivery Service (Glance)

Glance reports location (with credentials) in create return json

Reported by Stuart McLaren on 2011-10-24
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Glance
High
Jay Pipes
Diablo
Undecided
Unassigned

Bug Description

Hi,

Watching what was going over the wire it looks like someone can get the backend credentials
from performing an add -- see the 'redacted' text below. If this is a real bug feel free to assign to me.

Frame 85: 743 bytes on wire (5944 bits), 743 bytes captured (5944 bits)
Internet Protocol Version 4, Src: 127.0.0.1 (127.0.0.1), Dst: 127.0.0.1 (127.0.0.1)
*** Port: 9292->58908
Secure Sockets Layer
Hypertext Transfer Protocol
    HTTP/1.1 201 Created\r\n
        [Expert Info (Chat/Sequence): HTTP/1.1 201 Created\r\n]
            [Message: HTTP/1.1 201 Created\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Request Version: HTTP/1.1
        Status Code: 201
        Response Phrase: Created
    Content-Type: application/json\r\n
    Content-Length: 448\r\n
        [Content length: 448]
    Location: https://0.0.0.0:9292/v1/images/10\r\n
    Etag: bfea3d69d8c0bf3fcec7f384484a7710\r\n
    Date: Mon, 24 Oct 2011 13:13:26 GMT\r\n
    \r\n
Line-based text data: application/json
    {"image": {"status": "active", "name": "xx1", "deleted": false, "container_format": "ovf", "created_at": "2011-10-24T13:13:26", "disk_format": "raw", "updated_at": "2011-10-24T13:13:26", "properties": {}, "min_disk": 0, "id": 10, "location": "swift+https://redacted:redacted@x.x.x.x:443/auth/v1.0/glance/10", "checksum": "bfea3d69d8c0bf3fcec7f384484a7710", "owner": null, "is_public": true, "deleted_at": null, "min_ram": 0, "size": 681}}

Jay Pipes (jaypipes) wrote :

I'm on it. Thanks for the bug report, Stuart!

Changed in glance:
status: New → Triaged
importance: Undecided → High
assignee: nobody → Jay Pipes (jaypipes)
milestone: none → essex-1

No prob. Hope to have something for you on the 'location' stuff "real soon now".

On Mon, 24 Oct 2011, Jay Pipes wrote:

> I'm on it. Thanks for the bug report, Stuart!
>
> ** Changed in: glance
> Status: New => Triaged
>
> ** Changed in: glance
> Importance: Undecided => High
>
> ** Changed in: glance
> Assignee: (unassigned) => Jay Pipes (jaypipes)
>
> ** Changed in: glance
> Milestone: None => essex-1
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/880910
>
> Title:
> Glance reports location (with credentials) in create return json
>
> Status in OpenStack Image Registry and Delivery Service (Glance):
> Triaged
>
> Bug description:
> Hi,
>
> Watching what was going over the wire it looks like someone can get the backend credentials
> from performing an add -- see the 'redacted' text below. If this is a real bug feel free to assign to me.
>
>
> Frame 85: 743 bytes on wire (5944 bits), 743 bytes captured (5944 bits)
> Internet Protocol Version 4, Src: 127.0.0.1 (127.0.0.1), Dst: 127.0.0.1 (127.0.0.1)
> *** Port: 9292->58908
> Secure Sockets Layer
> Hypertext Transfer Protocol
> HTTP/1.1 201 Created\r\n
> [Expert Info (Chat/Sequence): HTTP/1.1 201 Created\r\n]
> [Message: HTTP/1.1 201 Created\r\n]
> [Severity level: Chat]
> [Group: Sequence]
> Request Version: HTTP/1.1
> Status Code: 201
> Response Phrase: Created
> Content-Type: application/json\r\n
> Content-Length: 448\r\n
> [Content length: 448]
> Location: https://0.0.0.0:9292/v1/images/10\r\n
> Etag: bfea3d69d8c0bf3fcec7f384484a7710\r\n
> Date: Mon, 24 Oct 2011 13:13:26 GMT\r\n
> \r\n
> Line-based text data: application/json
> {"image": {"status": "active", "name": "xx1", "deleted": false, "container_format": "ovf", "created_at": "2011-10-24T13:13:26", "disk_format": "raw", "updated_at": "2011-10-24T13:13:26", "properties": {}, "min_disk": 0, "id": 10, "location": "swift+https://redacted:redacted@x.x.x.x:443/auth/v1.0/glance/10", "checksum": "bfea3d69d8c0bf3fcec7f384484a7710", "owner": null, "is_public": true, "deleted_at": null, "min_ram": 0, "size": 681}}
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/glance/+bug/880910/+subscriptions
>

Stuart McLaren (stuart-mclaren) wrote :

Possibly delete too.

Frame 166: 695 bytes on wire (5560 bits), 695 bytes captured (5560 bits)
Internet Protocol Version 4, Src: 127.0.0.1 (127.0.0.1), Dst: 127.0.0.1 (127.0.0.1)
*** Port: 9191->59801
Secure Sockets Layer
Hypertext Transfer Protocol
    HTTP/1.1 200 OK\r\n
        [Expert Info (Chat/Sequence): HTTP/1.1 200 OK\r\n]
            [Message: HTTP/1.1 200 OK\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Request Version: HTTP/1.1
        Status Code: 200
        Response Phrase: OK
    Content-Type: text/html; charset=UTF-8\r\n
    Content-Type: application/json\r\n
    Content-Length: 446\r\n
        [Content length: 446]
    Date: Mon, 24 Oct 2011 17:45:22 GMT\r\n
    \r\n
Line-based text data: application/json
    {"image": {"status": "active", "created_at": "2011-10-24T13:11:25", "name": "xx1", "deleted": false, "container_format": "ovf", "min_ram": 0, "disk_format": "raw", "updated_at": "2011-10-24T13:11:25", "properties": {}, "owner": null, "location": "swift+https://xxx:xxx@x.x.x.x:443/auth/v1.0/glance/9", "checksum": "bfea3d69d8c0bf3fcec7f384484a7710", "min_disk": 0, "is_public": true, "deleted_at": null, "id": 9, "size": 681}}

Reviewed: https://review.openstack.org/1105
Committed: http://github.com/openstack/glance/commit/258aa1356ca0e3e6de0b1cdd54b3736e592d3995
Submitter: Jenkins
Branch: master

 status fixcommitted
 done

commit 258aa1356ca0e3e6de0b1cdd54b3736e592d3995
Author: Brian Waldon <email address hidden>
Date: Tue Oct 25 22:41:42 2011 -0400

    Remove 'location' from POST/PUT image responses

    The 'location' field is already removed from GET calls, so we should
    also remove it from POST/PUT operations. Partially fixes bug 880910.

    Change-Id: I4f7d8d0309c8a3e10d0c2a99573ca0fa808c93be

Changed in glance:
status: Triaged → Fix Committed

Reviewed: https://review.openstack.org/1780
Committed: http://github.com/openstack/glance/commit/5b26c53c8e5143de37e270146d4ea9755c5c3f32
Submitter: Jenkins
Branch: stable/diablo

 tag in-stable-diablo
 done

commit 5b26c53c8e5143de37e270146d4ea9755c5c3f32
Author: Brian Waldon <email address hidden>
Date: Tue Oct 25 22:41:42 2011 -0400

    Remove 'location' from POST/PUT image responses

    The 'location' field is already removed from GET calls, so we should
    also remove it from POST/PUT operations. Partially fixes bug 880910.

    (cherry picked from commit 258aa1356ca0e3e6de0b1cdd54b3736e592d3995)

    Change-Id: I4f7d8d0309c8a3e10d0c2a99573ca0fa808c93be

Jay Pipes (jaypipes) on 2011-12-30
Changed in glance:
status: Fix Committed → Fix Released
Jay Pipes (jaypipes) on 2012-01-11
security vulnerability: yes → no
visibility: private → public
Thierry Carrez (ttx) on 2012-01-12
security vulnerability: no → yes
Thierry Carrez (ttx) on 2012-04-05
Changed in glance:
milestone: essex-1 → 2012.1
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers