Path Traversal possible when downloading an image
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
High
|
Thierry Carrez | ||
Diablo |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Because of #885165, it maybe possible for a remote attacker who can perform a man in the middle attack to provide a bucket with an image file-name which includes "/" and or "..". The path for the image file which is taken from the desired destination directory joined with the filename found in the bucket. This occurs in the static method _download_file. The _download_file method, as the name indicates also downloads the image to the respective file path.
The actual downloading of the image occurs via the key.get_
def get_contents_
...
fp = open(filename, 'wb')
Which opens a new file object at the location provided. The _download_file method should ensure that the file-name is safe to use before calling the get_contents_
[0]
@staticmethod
def _download_
key = bucket.
return local_filename
CVE References
description: | updated |
Changed in nova: | |
assignee: | nobody → Robert Clark (robert-clark) |
Changed in nova: | |
assignee: | Vish Ishaya (vishvananda) → Thierry Carrez (ttx) |
status: | Triaged → In Progress |
visibility: | private → public |
Changed in nova: | |
milestone: | none → essex-2 |
status: | Fix Committed → Fix Released |
Changed in nova: | |
milestone: | essex-2 → 2012.1 |
One more possible bug (I don't know if this is reachable) is that the tarfile.extractall method is used in the
static method _untarzip_image. This method is also vulnerable to path traversal (as per the warning in the tarfile module documentation).