Updating image-location by update images API users can download any file for which glance-api has read permission.
For example:
When users specify '/etc/passwd' as locations value of an image user can get the file by image download.
How to recreate the bug:
- set show_multiple_locations True in glance-api.conf
- create a new image
- set locations of the image's property a path you want to get such as file:///etc/passwd.
- download the image
I found this bug in 2014.2 (742c898956d655affa7351505c8a3a5c72881eae).
Updating image-location by update images API users can download any file for which glance-api has read permission.
For example:
When users specify '/etc/passwd' as locations value of an image user can get the file by image download.
How to recreate the bug: locations True in glance-api.conf
- set show_multiple_
- create a new image
- set locations of the image's property a path you want to get such as file:///etc/passwd.
- download the image
I found this bug in 2014.2 (742c898956d655 affa7351505c8a3 a5c72881eae) .