commit 5191ed1879c5fd5b2694f922bcedec232f461088
Author: Grant Murphy <email address hidden>
Date: Wed Jan 7 16:09:38 2015 -0800
Prevent file, swift+config and filesystem schemes
This change ensures that 'file', 'filesystem', and 'swift+config' URI
schemes are not allowed when setting the location field. A previous
fix to CVE-2014-9493 attempted to address this issue but did not
include 'filesystem', a URI scheme allowed by the glance_store.
Without this fix in place it is possible for a client to access any file
the glance-api server has read permissions for.
Change-Id: I02cd099a8634b9c7e3cf8f172bcbd33f8edcbc83
Closes-Bug: #1408663
(cherry picked from commit a2d986b976e9325a272e2d422465165315d19fe6)
Reviewed: https:/ /review. openstack. org/145916 /git.openstack. org/cgit/ openstack/ glance/ commit/ ?id=5191ed1879c 5fd5b2694f922bc edec232f461088
Committed: https:/
Submitter: Jenkins
Branch: stable/juno
commit 5191ed1879c5fd5 b2694f922bcedec 232f461088
Author: Grant Murphy <email address hidden>
Date: Wed Jan 7 16:09:38 2015 -0800
Prevent file, swift+config and filesystem schemes
This change ensures that 'file', 'filesystem', and 'swift+config' URI
schemes are not allowed when setting the location field. A previous
fix to CVE-2014-9493 attempted to address this issue but did not
include 'filesystem', a URI scheme allowed by the glance_store.
Without this fix in place it is possible for a client to access any file
the glance-api server has read permissions for.
Change-Id: I02cd099a8634b9 c7e3cf8f172bcbd 33f8edcbc83 a272e2d42246516 5315d19fe6)
Closes-Bug: #1408663
(cherry picked from commit a2d986b976e9325