OpenStack Heat

Overview
Code
Bugs
Blueprints
Translations
Answers

Series kilo
Bug #1496277
Comment #42

Comment 42 for bug 1496277

Revision history for this message

Zane Bitter (zaneb) wrote on 2015-11-25: Re: template-validate may read server local files (CVE-2015-5295)

#42

load-files-from-correct-source.patch Edit (3.2 KiB, text/plain)

I posted a series here: https://review.openstack.org/#/q/status:open+project:openstack/heat+branch:master+topic:bug/1518458,n,z

The interesting one is https://review.openstack.org/#/c/250053/ which should mostly solve the problem. The exception is the validation code introduced by the fix for bug 1479565. The attached patch should solve the last part of the problem without breaking that fix.

Feeback is appreciated. There are still some murky parts around updates (by which time the previously global type mappings are treated as user type mappings), but in theory these patches can't make anything worse. In theory.