Tomasz Zieba created CLOUDSTACK-6283:
----------------------------------------
Summary: User can ommit secstorage.allowed.internal.sites limit
Key: CLOUDSTACK-6283
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-6283
Project: CloudStack
Issue Type: Bug
Security Level: Public (Anyone can view this level - this is the default.)
Components: SystemVM
Affects Versions: 4.2.1
Environment: ACS4.2.1
CitrixXen 6.2SP1
Reporter: Tomasz Zieba
The user is able to bypass the limitations of IP addresses for downloading
templates in Global Settings: secstorage.allowed.internal.sites
by specifying the URL with additionally port in addition to http, https, ie:
http://x.y.v.z:8080/file.vhd
The problem is the rules that are applied on the Secondary Storage VM:
iptables -S OUTPUT
-P OUTPUT ACCEPT
-A OUTPUT-d 172.16.1.0/24-o eth1-p tcp-m state - state NEW-m tcp-j ACCEPT
-A OUTPUT-o eth1-p tcp-m state - state NEW-m tcp - dport 80-j REJECT -
reject-with icmp-port-unreachable
-A OUTPUT-o eth1-p tcp-m state - state NEW-m tcp - dport 443-j REJECT -
reject-with icmp-port-unreachable
Limitations concern only ports 80 and 443
Is it possible to enter filtering the entire traffic or prohibit using the port
in the URL ?
--
This message was sent by Atlassian JIRA
(v6.2#6252)
