Comment 12 for bug 1006414
Revision history for this message
| Sebastian Krahmer (krahmer-p) wrote | #12 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
Um, I just realized that we talked about 2 different attack vectors.
First, pickle is used in the backend to store and load data to/from extended attributes from
files inside read_metadata(). Thats not nice, but not a severe issue if nobody can mod the xattrs.
Then, I just realized that pickle is also used in the memcache part. As memcached is distributed
over a lot of nodes and has no authentication, except your mentioned separation into
a private LAN, this is worse than the above case.
The swift proxy runs as root (is that necessary anyways, after binding to a low port?) and potentially
unpickles anything that he gets. If just someone polluted the memcached with evil pickle data.
I see your private LAN argument, but my experience in network consulting unfortunally shows me that
there is often no such strict separation so that memcached cannot be accessed from the VM/cloud network.
However, I am not exactly sure how to handle that without too much efforts.