From bf272534c1ff4a429c678e3b78b1465b4566bb75 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C3=A1draig=20Brady?= <pbrady@redhat.com>
Date: Tue, 31 Jul 2012 14:34:19 +0100
Subject: [PATCH] Prohibit file injection writing to host filesystem

This is a refinement of the previous fix in commit 2427d4a9,
which does the file name canonicalization as the root user.
This is required so that guest images could not for example,
protect malicious symlinks in a directory only readable by root.

Note this requires adding the 'readlink' binary to the
nova sudoers file.

Fixes bug: 1015531, CVE-2012-3361
Change-Id: I7f7cdeeffadebae7451e1e13f73f1313a7df9c5c
---
 nova/virt/disk.py |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/nova/virt/disk.py b/nova/virt/disk.py
index 6c66f1d..aa0c415 100644
--- a/nova/virt/disk.py
+++ b/nova/virt/disk.py
@@ -275,7 +275,9 @@ def _join_and_check_path_within_fs(fs, *args):
     mounted guest fs.  Trying to be clever and specifying a
     path with '..' in it will hit this safeguard.
     '''
-    absolute_path = os.path.realpath(os.path.join(fs, *args))
+    absolute_path, _err = utils.execute('readlink', '-m',
+                                        os.path.join(fs, *args),
+                                        run_as_root=True)
     if not absolute_path.startswith(os.path.realpath(fs) + '/'):
         raise exception.Invalid()
     return absolute_path
-- 
1.7.6.4