Regarding the fix in comment #10, operators could set their global environment to host their templates anywhere, not just /etc/heat/templates. A better fix might be to load the global environment and reject any file:// path which doesn't have an explicit files entry in the global env.
Regarding a heatclient fix we have a couple of options which we could discuss here:
- don't fix it, communicate to users that they should only launch templates from trusted sources
- fix it for templates loaded over the network (http, https) so that any file:// url in these templates are rejected
Comment #27 looks good.
Regarding the fix in comment #10, operators could set their global environment to host their templates anywhere, not just /etc/heat/ templates. A better fix might be to load the global environment and reject any file:// path which doesn't have an explicit files entry in the global env.
Regarding a heatclient fix we have a couple of options which we could discuss here:
- don't fix it, communicate to users that they should only launch templates from trusted sources
- fix it for templates loaded over the network (http, https) so that any file:// url in these templates are rejected