On Thu, Jun 19, 2014 at 1:37 PM, Clint Byrum <[email protected]> wrote:
> A large majority of the failures I've seen OSSG report have been privilege > escalation in each service.. Trusts not scoping down properly, quotas > not being applied, or cross-project/tenant boundaries not being honored. > > I don't think we've had many (if any) SQL or shell injection attacks or > buffer overflows or anything like that. We're all pretty well trained to > spot these issues and python makes you have to try pretty hard to > implement some of them. > > There was a shell injection attack recently, "Remote Code Execution in Sheepdog backend"[1], and there have been other issues with trusting input/escaping too: "www-authenticate value isn't quoted"[2] and "XSS in Horizon-Orchestration"[3]. [1] https://bugs.launchpad.net/ossa/+bug/1298698 [2] https://bugs.launchpad.net/ossa/+bug/1327414 [3] https://bugs.launchpad.net/ossa/+bug/1289033 - Brant
_______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
