At the very least the filename retrieved from the manifest should be filtered through basename ?
That said I wonder if that code is even used since it contains a typo on line 215 (use of "ec2_utils") that should be hit with every manifest with a kernel id, and various other strange things (unused image_id and image_type fields). Vish ?
David: could you open a separate security bug so that we investigate the tarfile thing separately ?
At the very least the filename retrieved from the manifest should be filtered through basename ?
That said I wonder if that code is even used since it contains a typo on line 215 (use of "ec2_utils") that should be hit with every manifest with a kernel id, and various other strange things (unused image_id and image_type fields). Vish ?
David: could you open a separate security bug so that we investigate the tarfile thing separately ?