Comment 60 for bug 1546507

I had read through of this bug and the patch. One thing that is not clear to me is why do we do guess work what the image location path can or cannot be and instead just check that with any RW store we do not allow setting location we a) do not have access (prevents any possibility to guess what would be the file name in future) and b) is not in our locations table already? This would also solve any potential issue with the VMWare driver regardless if we reach Sabari for his expertise or not.

Also I'd prefer fixing this in master and all stable branches for now and we can alter master then after we get service tokens into use. For now I think it's more important that we provide patch to all consumers who are using for example Nova+rbd or Cinder+rbd at the time when this becomes public rather than go with a statement "We know this is wrong but didn't bother to fix it properly".

My biggest worry is that even exploiting this needs non-default config settings, those are mandatory for the rdb drivers and based on the latest survey that's >50% of the deployments.