OpenStack Compute (nova)

ImageRef for server create/rebuild/rescue etc are accepted as random url

Bug #1607229 reported by Ghanshyam Mann on 2016-07-28

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Fix Released	High	Ghanshyam Mann	OpenStack Compute (nova) newton-3 "n3"

Bug Description

Currently imageRef in server create, rebuild and rescue
operation can be accepted as random url which contains image
UUID and fetch the UUID from that.

ImageRef in server creation etc are UUID only and valid against glance.

Currently nova used to fetch the UUID from ImageRef url and proceed.

As /images proxy APIs are deprecated, it make sense to strict
the imageRef to UUID only and return 400 when non UUID(random url) is requested.

Sean Dague (sdague) on 2016-08-01

Changed in nova:
status:	New → Triaged
importance:	Undecided → High
milestone:	none → newton-3

Matt Riedemann (mriedem) on 2016-08-03

Changed in nova:
status:	Triaged → In Progress
assignee:	nobody → Ghanshyam Mann (ghanshyammann)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-08-04: Fix merged to nova (master)

Reviewed: https://review.openstack.org/338802
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=cbd3ec476f769c42e5b2a0ef8c996b60935e7f6c
Submitter: Jenkins
Branch: master

commit cbd3ec476f769c42e5b2a0ef8c996b60935e7f6c
Author: ghanshyam <email address hidden>
Date: Thu Jul 28 16:11:47 2016 +0900

Strict ImageRef validation to UUID only

    Currently imageRef in server create, rebuild and rescue
    operation can be accepted as random url which contains image
    UUID and fetch the UUID from that.

As /images proxy APIs are deprecated, and ImageRef in
server creation etc are UUID only and valid against glance.

This patch makes imageRef handling as UUID only and
return 400 if non UUID are requested.

    NOTE- Previously nova use to allow the empty string which was
          ok in case of boot from volume.
          We will keep the same behavior of allowing empty string in case of
          boot from volume only and 400 in all other case.

Closes-Bug: #1607229

Change-Id: I49f4da62c1b5b3fd8c5f67039ae113f76722b26c

Changed in nova:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-09-02: Fix included in openstack/nova 14.0.0.0b3

This issue was fixed in the openstack/nova 14.0.0.0b3 development milestone.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.