2011-11-02 11:40:01 |
David |
bug |
|
|
added bug |
2011-11-02 11:42:57 |
David |
description |
Because of #885165, it maybe possible for a remote attacker to man in the middle the connection and provide back a bucket with a filename which includes "/" and or ".." in the file-name. The 'local' file-name for a downloaded image is determined by the static method _download_file. [0] The _download_file method will not block directory traversal and will download the image file to the 'local_filename' location through the key.get_contents_to_filename call. The get_contents_to_filename method will open a file at the 'local_filename' location through the following code(which is found in boto/s3/key.py):
def get_contents_to_filename(self, filename, headers=None,
...
fp = open(filename, 'wb')
[0]
@staticmethod
def _download_file(bucket, filename, local_dir):
key = bucket.get_key(filename)
local_filename = os.path.join(local_dir, filename)
key.get_contents_to_filename(local_filename)
return local_filename |
Because of #885165, it maybe possible for a remote attacker who can perform a man in the middle attack to provide a bucket with an image file-name which includes "/" and or "..". The 'local' file-name is determined and an image is downloaded to the 'local_filename' location by the static method _download_file. [0] The _download_file method does not block path traversal.
The actual downloading of the image occurs via the key.get_contents_to_filename call. The get_contents_to_filename method will open a file at the 'local_filename' location through the following code( as found in boto/s3/key.py):
def get_contents_to_filename(self, filename, headers=None,
...
fp = open(filename, 'wb')
[0]
@staticmethod
def _download_file(bucket, filename, local_dir):
key = bucket.get_key(filename)
local_filename = os.path.join(local_dir, filename)
key.get_contents_to_filename(local_filename)
return local_filename |
|
2011-11-02 11:50:27 |
David |
description |
Because of #885165, it maybe possible for a remote attacker who can perform a man in the middle attack to provide a bucket with an image file-name which includes "/" and or "..". The 'local' file-name is determined and an image is downloaded to the 'local_filename' location by the static method _download_file. [0] The _download_file method does not block path traversal.
The actual downloading of the image occurs via the key.get_contents_to_filename call. The get_contents_to_filename method will open a file at the 'local_filename' location through the following code( as found in boto/s3/key.py):
def get_contents_to_filename(self, filename, headers=None,
...
fp = open(filename, 'wb')
[0]
@staticmethod
def _download_file(bucket, filename, local_dir):
key = bucket.get_key(filename)
local_filename = os.path.join(local_dir, filename)
key.get_contents_to_filename(local_filename)
return local_filename |
Because of #885165, it maybe possible for a remote attacker who can perform a man in the middle attack to provide a bucket with an image file-name which includes "/" and or "..". The path for the image file which is taken from the desired destination directory joined with the filename found in the bucket. This occurs in the static method _download_file. The _download_file method, as the name indicates also downloads the image to the respective file path.
The actual downloading of the image occurs via the key.get_contents_to_filename call. The get_contents_to_filename method will open a file at the 'local_filename' location through the following code( as found in boto/s3/key.py):
def get_contents_to_filename(self, filename, headers=None,
...
fp = open(filename, 'wb')
Which opens a new file object at the location provided. The _download_file method should ensure that the file-name is safe to use before calling the get_contents_to_filename method.
[0]
@staticmethod
def _download_file(bucket, filename, local_dir):
key = bucket.get_key(filename)
local_filename = os.path.join(local_dir, filename)
key.get_contents_to_filename(local_filename)
return local_filename |
|
2011-11-13 15:30:21 |
David |
bug |
|
|
added subscriber OpenStack Vulnerability Management team |
2011-11-14 15:14:49 |
Robert Clark |
nova: status |
New |
Confirmed |
|
2011-11-14 15:26:38 |
Robert Clark |
nova: assignee |
|
Robert Clark (robert-clark) |
|
2011-11-14 15:26:41 |
Thierry Carrez |
nova: importance |
Undecided |
High |
|
2011-11-14 15:26:41 |
Thierry Carrez |
nova: assignee |
Robert Clark (robert-clark) |
|
|
2011-11-14 15:27:44 |
Thierry Carrez |
nova: assignee |
|
Robert Clark (robert-clark) |
|
2011-11-25 13:46:21 |
Thierry Carrez |
nova: status |
Confirmed |
Triaged |
|
2011-11-25 14:49:09 |
Robert Clark |
nova: assignee |
Robert Clark (robert-clark) |
Vish Ishaya (vishvananda) |
|
2011-12-01 16:26:18 |
Thierry Carrez |
attachment added |
|
patch https://bugs.launchpad.net/nova/+bug/885167/+attachment/2614837/+files/patch |
|
2011-12-01 16:26:54 |
Thierry Carrez |
bug |
|
|
added subscriber OpenStack Stable Branch Mantainers |
2011-12-01 16:57:42 |
Thierry Carrez |
nova: status |
Triaged |
In Progress |
|
2011-12-01 16:57:42 |
Thierry Carrez |
nova: assignee |
Vish Ishaya (vishvananda) |
Thierry Carrez (ttx) |
|
2011-12-06 15:56:29 |
Mark McLoughlin |
attachment added |
|
Untested patch https://bugs.launchpad.net/nova/+bug/885167/+attachment/2621840/+files/patch |
|
2011-12-09 12:33:26 |
Thierry Carrez |
cve linked |
|
2011-4596 |
|
2011-12-13 15:01:21 |
Thierry Carrez |
visibility |
private |
public |
|
2011-12-13 15:12:20 |
Openstack Gerrit |
nova: status |
In Progress |
Fix Committed |
|
2011-12-14 09:53:43 |
Thierry Carrez |
nova: status |
Fix Committed |
Fix Released |
|
2011-12-14 09:53:43 |
Thierry Carrez |
nova: milestone |
|
essex-2 |
|
2012-01-11 14:56:01 |
Mark McLoughlin |
nominated for series |
|
nova/diablo |
|
2012-01-11 14:56:02 |
Mark McLoughlin |
bug task added |
|
nova/diablo |
|
2012-01-11 16:08:43 |
Mark McLoughlin |
nova/diablo: status |
New |
Fix Committed |
|
2012-01-11 16:08:43 |
Mark McLoughlin |
nova/diablo: milestone |
|
2011.3.1 |
|
2012-01-12 13:29:04 |
Thierry Carrez |
removed subscriber OpenStack Vulnerability Management team |
|
|
|
2012-01-19 19:13:30 |
Mark McLoughlin |
nova/diablo: status |
Fix Committed |
Fix Released |
|
2012-04-05 09:48:08 |
Thierry Carrez |
nova: milestone |
essex-2 |
2012.1 |
|
2013-12-16 14:08:39 |
Curtis Hovey |
removed subscriber Registry Administrators |
|
|
|