OpenStack Security Advisory

  1. Bug #1408663
  2. Comment #11

Comment 11 for bug 1408663

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to glance (stable/icehouse)

Reviewed: https://review.openstack.org/145974
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=7d3a1db33ccbd25b9fc7326ce3468eabd2a41a99
Submitter: Jenkins
Branch: stable/icehouse

commit 7d3a1db33ccbd25b9fc7326ce3468eabd2a41a99
Author: Grant Murphy <email address hidden>
Date: Wed Jan 7 16:09:38 2015 -0800

    Prevent file, swift+config and filesystem schemes

    This change ensures that 'file', 'filesystem', and 'swift+config' URI
    schemes are not allowed when setting the location field. A previous
    fix to CVE-2014-9493 attempted to address this issue but did not
    include 'filesystem', a URI scheme allowed by the glance_store.

    Without this fix in place it is possible for a client to access any file
    the glance-api server has read permissions for.

    (cherry picked from commit 5191ed1879c5fd5b2694f922bcedec232f461088)

    Conflicts:
     glance/common/store_utils.py

    Change-Id: I02cd099a8634b9c7e3cf8f172bcbd33f8edcbc83
    Closes-Bug: #1408663