commit a2d986b976e9325a272e2d422465165315d19fe6
Author: Grant Murphy <email address hidden>
Date: Wed Jan 7 16:09:38 2015 -0800
Prevent file, swift+config and filesystem schemes
This change ensures that 'file', 'filesystem', and 'swift+config' URI
schemes are not allowed when setting the location field. A previous
fix to CVE-2014-9493 attempted to address this issue but did not
include 'filesystem', a URI scheme allowed by the glance_store.
Without this fix in place it is possible for a client to access any file
the glance-api server has read permissions for.
Reviewed: https:/ /review. openstack. org/145640 /git.openstack. org/cgit/ openstack/ glance/ commit/ ?id=a2d986b976e 9325a272e2d4224 65165315d19fe6
Committed: https:/
Submitter: Jenkins
Branch: master
commit a2d986b976e9325 a272e2d42246516 5315d19fe6
Author: Grant Murphy <email address hidden>
Date: Wed Jan 7 16:09:38 2015 -0800
Prevent file, swift+config and filesystem schemes
This change ensures that 'file', 'filesystem', and 'swift+config' URI
schemes are not allowed when setting the location field. A previous
fix to CVE-2014-9493 attempted to address this issue but did not
include 'filesystem', a URI scheme allowed by the glance_store.
Without this fix in place it is possible for a client to access any file
the glance-api server has read permissions for.
Change-Id: I02cd099a8634b9 c7e3cf8f172bcbd 33f8edcbc83
Closes-Bug: #1408663