Comment 4 for bug 1514467
Revision history for this message
| Fuel Devops McRobotson (fuel-devops-robot) wrote Fix merged to openstack/glance (openstack-ci/fuel-6.0-updates/2014.2) | #4 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
Reviewed: https:/
Submitter: Vitaly Sedelnik <email address hidden>
Branch: openstack-
Commit: 40e1bb2369e3ac1
Author: Grant Murphy <email address hidden>
Date: Mon Nov 9 15:39:17 2015
Prevent file, swift+config and filesystem schemes
This change ensures that 'file', 'filesystem', and 'swift+config' URI
schemes are not allowed when setting the location field. A previous
fix to CVE-2014-9493 attempted to address this issue but did not
include 'filesystem', a URI scheme allowed by the glance_store.
Without this fix in place it is possible for a client to access any file
the glance-api server has read permissions for.
Closes-Bug: #1514467
(cherry picked from commit a2d986b976e9325
Change-Id: I5fcf1d3e519e9d