commit 4967ab6935cfd0274ae801ac943d01909a236a0a
Author: Dan Smith <email address hidden>
Date: Mon Dec 19 15:00:35 2022 +0000
Enforce image safety during image_conversion
This does two things:
1. It makes us check that the QCOW backing_file is unset on those
types of images. Nova and Cinder do this already to prevent an
arbitrary (and trivial to accomplish) host file exposure exploit.
2. It makes us restrict VMDK files to only allowed subtypes. These
files can name arbitrary files on disk as extents, providing the
same sort of attack. Default that list to just the types we believe
are actually useful for openstack, and which are monolithic.
The configuration option to specify allowed subtypes is added in
glance's config and not in the import options so that we can extend
this check later to image ingest. The format_inspector can tell us
what the type and subtype is, and we could reject those images early
and even in the case where image_conversion is not enabled.
Closes-Bug: #1996188
Change-Id: Idf561f6306cebf756c787d8eefdc452ce44bd5e0
(cherry picked from commit 0d6282a01691cecc2798f7858b181c4bb30f850c)
Reviewed: https:/ /review. opendev. org/c/openstack /glance/ +/871614 /opendev. org/openstack/ glance/ commit/ 4967ab6935cfd02 74ae801ac943d01 909a236a0a
Committed: https:/
Submitter: "Zuul (22348)"
Branch: stable/zed
commit 4967ab6935cfd02 74ae801ac943d01 909a236a0a
Author: Dan Smith <email address hidden>
Date: Mon Dec 19 15:00:35 2022 +0000
Enforce image safety during image_conversion
This does two things:
1. It makes us check that the QCOW backing_file is unset on those
types of images. Nova and Cinder do this already to prevent an
arbitrary (and trivial to accomplish) host file exposure exploit.
2. It makes us restrict VMDK files to only allowed subtypes. These
files can name arbitrary files on disk as extents, providing the
same sort of attack. Default that list to just the types we believe
are actually useful for openstack, and which are monolithic.
The configuration option to specify allowed subtypes is added in
glance's config and not in the import options so that we can extend
this check later to image ingest. The format_inspector can tell us
what the type and subtype is, and we could reject those images early
and even in the case where image_conversion is not enabled.
Closes-Bug: #1996188 756c787d8eefdc4 52ce44bd5e0 c2798f7858b181c 4bb30f850c)
Change-Id: Idf561f6306cebf
(cherry picked from commit 0d6282a01691cec