Comment 32 for bug 1496277

I'm not sure on the status of Angus's patch, I've been meaning to sync up with him about it.

There has been some (private) discussion around an alternative solution, triggered by https://review.openstack.org/#/c/238194/ which aims to fix a different issue, but ends up having some overlap with this issue (potentially) in terms of implementation.

The potential solution mentioned by Zane is to not generate classes via generate_class except for the global environment, which would mean that we'd never hit the code in heat-engine causing this vulnerability, because all TemplateResource objects instantiated from user provided environments would be directly instantiated template_resource.TemplateResource objects, not subclasses derived from generate_class.

Context is https://review.openstack.org/#/c/79291/3, which shows that generate_class was only added so we could allow resource-type-list to show resources defined in the global environment, e.g it's not actually needed for user provided environments.

I'm currently investigating this approach , to enable fixing bug #1508115, and will report back here (before posting anything in public) should that approach prove viable as a solution to both bugs.

Angus: I'd be interested to chat and hear your thoughts on that as a potential solution.

Tristan: How do we handle this should a fix prove viable as a side-effect to another bug which is not flagged as security impacting?