OpenStack Security Advisory

  1. Bug #1482371
  2. Comment #11

Comment 11 for bug 1482371

Revision history for this message
Stuart McLaren (stuart-mclaren) wrote : Re: Image status can be changed by passing header 'x-image-meta-status' with PUT operation using v1

Looking again at the whitelisting of headers. It looks like previously any 'x-image-meta-blah' header that the user provided would be passed from the api to the registry. The whitelist meant that any unexpected 'x-image-meta-xxx' headers would be rejected with 400. (But the whitelist doesn't attempt to handle different behaviour for any of the defined headers.)

In v2 an attempt to write to a 'read only' property such as status or updated_at, or a reserved property such as 'owner' will raise a 403 (Forbidden).

In v1, if an attempt to write to 'owner' is made the 'x-image-meta-owner' header will effectively just be dropped and 200 will be returned. If the image is active and an attempt is made to change size, checksum a 403 will be returned.

We'll need to decide the behaviour for attempts to update 'status', 'updated_at' etc, ie whether to silently drop them or return 403.