Reviewed: https://review.openstack.org/613342 Committed: https://git.openstack.org/cgit/openstack/nova-powervm/commit/?id=54e501481de97d600f4c8757dc4cdac80ba5ab54 Submitter: Zuul Branch: master
commit 54e501481de97d600f4c8757dc4cdac80ba5ab54 Author: Matthew Edmonds <edmon...@us.ibm.com> Date: Thu Oct 25 10:45:47 2018 -0400 Use tempfile for powervm config drive There are potential security issues with using predictable temp directories or files, so use python's tempfile module to do this safely. Change-Id: I5e23933af71180da1d55950fcf49e39b0b800ef5 Closes-Bug: #1771538 ** Changed in: nova-powervm Status: New => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1771538 Title: PowerVM config drive path is not secure Status in OpenStack Compute (nova): Fix Released Status in nova-powervm: Fix Released Bug description: This report is based on the Bandit scanner results and code review. 1) On https://git.openstack.org/cgit/openstack/nova/tree/nova/virt/powervm/media.py?h=refs/heads/master#n44 43 _VOPT_SIZE_GB = 1 44 _VOPT_TMPDIR = '/tmp/cfgdrv/' 45 We have hardcoded tmp dir that could be cleaned up after compute node reboot. As mentioned in todo it might be good to use conf option. 2) On https://git.openstack.org/cgit/openstack/nova/tree/nova/virt/powervm/media.py?h=refs/heads/master#n116 Predictable file name based on a user input is used: 116 file_name = pvm_util.sanitize_file_name_for_api( 117 instance.name, prefix='cfg_', suffix='.iso', 118 max_len=pvm_const.MaxLen.VOPT_NAME) Probably we could use instance.uuid for that. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1771538/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp