Reviewed: https://review.openstack.org/613342
Committed:
https://git.openstack.org/cgit/openstack/nova-powervm/commit/?id=54e501481de97d600f4c8757dc4cdac80ba5ab54
Submitter: Zuul
Branch: master
commit 54e501481de97d600f4c8757dc4cdac80ba5ab54
Author: Matthew Edmonds <edmon...@us.ibm.com>
Date: Thu Oct 25 10:45:47 2018 -0400
Use tempfile for powervm config drive
There are potential security issues with using predictable temp
directories or files, so use python's tempfile module to do this
safely.
Change-Id: I5e23933af71180da1d55950fcf49e39b0b800ef5
Closes-Bug: #1771538
** Changed in: nova-powervm
Status: New => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1771538
Title:
PowerVM config drive path is not secure
Status in OpenStack Compute (nova):
Fix Released
Status in nova-powervm:
Fix Released
Bug description:
This report is based on the Bandit scanner results and code review.
1)
On
https://git.openstack.org/cgit/openstack/nova/tree/nova/virt/powervm/media.py?h=refs/heads/master#n44
43 _VOPT_SIZE_GB = 1
44 _VOPT_TMPDIR = '/tmp/cfgdrv/'
45
We have hardcoded tmp dir that could be cleaned up after compute node reboot.
As mentioned in todo it might be good to use conf option.
2)
On
https://git.openstack.org/cgit/openstack/nova/tree/nova/virt/powervm/media.py?h=refs/heads/master#n116
Predictable file name based on a user input is used:
116 file_name = pvm_util.sanitize_file_name_for_api(
117 instance.name, prefix='cfg_', suffix='.iso',
118 max_len=pvm_const.MaxLen.VOPT_NAME)
Probably we could use instance.uuid for that.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1771538/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
