OpenStack Security Advisory

  1. Bug #1408663
  2. Comment #9

Comment 9 for bug 1408663

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to glance (stable/juno)

Reviewed: https://review.openstack.org/145916
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=5191ed1879c5fd5b2694f922bcedec232f461088
Submitter: Jenkins
Branch: stable/juno

commit 5191ed1879c5fd5b2694f922bcedec232f461088
Author: Grant Murphy <email address hidden>
Date: Wed Jan 7 16:09:38 2015 -0800

    Prevent file, swift+config and filesystem schemes

    This change ensures that 'file', 'filesystem', and 'swift+config' URI
    schemes are not allowed when setting the location field. A previous
    fix to CVE-2014-9493 attempted to address this issue but did not
    include 'filesystem', a URI scheme allowed by the glance_store.

    Without this fix in place it is possible for a client to access any file
    the glance-api server has read permissions for.

    Change-Id: I02cd099a8634b9c7e3cf8f172bcbd33f8edcbc83
    Closes-Bug: #1408663
    (cherry picked from commit a2d986b976e9325a272e2d422465165315d19fe6)