commit 7d3a1db33ccbd25b9fc7326ce3468eabd2a41a99
Author: Grant Murphy <email address hidden>
Date: Wed Jan 7 16:09:38 2015 -0800
Prevent file, swift+config and filesystem schemes
This change ensures that 'file', 'filesystem', and 'swift+config' URI
schemes are not allowed when setting the location field. A previous
fix to CVE-2014-9493 attempted to address this issue but did not
include 'filesystem', a URI scheme allowed by the glance_store.
Without this fix in place it is possible for a client to access any file
the glance-api server has read permissions for.
(cherry picked from commit 5191ed1879c5fd5b2694f922bcedec232f461088)
Reviewed: https:/ /review. openstack. org/145974 /git.openstack. org/cgit/ openstack/ glance/ commit/ ?id=7d3a1db33cc bd25b9fc7326ce3 468eabd2a41a99
Committed: https:/
Submitter: Jenkins
Branch: stable/icehouse
commit 7d3a1db33ccbd25 b9fc7326ce3468e abd2a41a99
Author: Grant Murphy <email address hidden>
Date: Wed Jan 7 16:09:38 2015 -0800
Prevent file, swift+config and filesystem schemes
This change ensures that 'file', 'filesystem', and 'swift+config' URI
schemes are not allowed when setting the location field. A previous
fix to CVE-2014-9493 attempted to address this issue but did not
include 'filesystem', a URI scheme allowed by the glance_store.
Without this fix in place it is possible for a client to access any file
the glance-api server has read permissions for.
(cherry picked from commit 5191ed1879c5fd5 b2694f922bcedec 232f461088)
Conflicts: common/ store_utils. py
glance/
Change-Id: I02cd099a8634b9 c7e3cf8f172bcbd 33f8edcbc83
Closes-Bug: #1408663