- glance/common/config.py find_config_file() should not load config files from
"." (e.g. imagine doing "sudo apt-get install glace" from /tmp and being
surprised that ./glance-registry.conf gets loaded during the postinst, writing
to arbitrary locations for SQL and logs)
- I don't see any packaging that replaces the "swift_store_key" or similar
items in the default configs.
- packaging lacks a "purge" target that will clean up the added "glance" user
from the glance.postinst
- should use SSL by default
- glance/common/utils.py creates dangerous "execute" function that uses the
shell to run commands without filtering meta characters. Luckily nothing uses
it's only user, fetchfile(). These should both be removed, along with the
unused runthis().
- is the POSTed image data actually used? I can't find many references to
"image_data"
** Changed in: glance (Ubuntu)
Status: New => Incomplete
** Changed in: glance (Ubuntu)
Assignee: Kees Cook (kees) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/801299
Title:
[MIR]glance
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glance/+bug/801299/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
