author | Drew Fisher <drew.fisher@oracle.com> |
Wed, 28 Jan 2015 15:28:28 -0800 | |
changeset 3700 | 86697167a9fb |
parent 3669 | 91c379bcac7e |
permissions | -rw-r--r-- |
3669
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
1 |
Errata patch for CVE-2014-9493. This addresses |
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
2 |
https://bugs.launchpad.net/ossa/+bug/1408663 and will be included in |
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
3 |
future releases. |
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
4 |
|
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
5 |
--- glance-2013.2.3/glance/store/__init__.py.orig 2015-01-20 12:17:34.009133229 -0800 |
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
6 |
+++ glance-2013.2.3/glance/store/__init__.py 2015-01-20 12:20:49.414482608 -0800 |
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
7 |
@@ -35,6 +35,8 @@ from glance.store import scrubber |
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
8 |
|
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
9 |
LOG = logging.getLogger(__name__) |
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
10 |
|
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
11 |
+RESTRICTED_URI_SCHEMAS = frozenset(['file', 'filesystem', 'swift+config']) |
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
12 |
+ |
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
13 |
store_opts = [ |
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
14 |
cfg.ListOpt('known_stores', |
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
15 |
default=[ |
3700
86697167a9fb
20433402 The fix for 20388250 is incomplete
Drew Fisher <drew.fisher@oracle.com>
parents:
3669
diff
changeset
|
16 |
@@ -382,10 +384,10 @@ def validate_external_location(uri): |
3669
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
17 |
:param uri: The URI of external image location. |
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
18 |
:return: Whether given URI of external image location are OK. |
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
19 |
""" |
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
20 |
- pieces = urlparse.urlparse(uri) |
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
21 |
- valid_schemes = [scheme for scheme in location.SCHEME_TO_CLS_MAP.keys() |
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
22 |
- if scheme != 'file' and scheme != 'swift+config'] |
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
23 |
- return pieces.scheme in valid_schemes |
3700
86697167a9fb
20433402 The fix for 20388250 is incomplete
Drew Fisher <drew.fisher@oracle.com>
parents:
3669
diff
changeset
|
24 |
+ # TODO(gm): Use a whitelist of allowed_schemes |
86697167a9fb
20433402 The fix for 20388250 is incomplete
Drew Fisher <drew.fisher@oracle.com>
parents:
3669
diff
changeset
|
25 |
+ known_schemes = [scheme for scheme in location.SCHEME_TO_CLS_MAP.keys()] |
3669
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
26 |
+ scheme = urlparse.urlparse(uri).scheme |
3700
86697167a9fb
20433402 The fix for 20388250 is incomplete
Drew Fisher <drew.fisher@oracle.com>
parents:
3669
diff
changeset
|
27 |
+ return (scheme in known_schemes and scheme not in RESTRICTED_URI_SCHEMAS) |