Comment 44 for bug 1496277
Revision history for this message
| Steven Hardy (shardy) wrote Re: template-validate may read server local files (CVE-2015-5295) | #44 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
35a32c5
(Get the code!)
@Zane: Thanks for looking at this, +1 on the patch in comment #42 - I agree that we may find that self.user_resource isn't treated properly on update - it'd be worth testing a scenario like:
1. Create a stack with a TemplateResource defined in the global environment
2. Modify the file referenced by the global environment mapping
3. Update the stack from (1) and prove the changes are picked up.
IIRC this sequence does currently work, I'll pull your patch tomorrow and re-test, unless anyone else gets to it first.