| author | Drew Fisher <drew.fisher@oracle.com> |
| Thu, 22 Jan 2015 11:26:32 -0800 | |
| changeset 3669 | 91c379bcac7e |
| child 3700 | 86697167a9fb |
| permissions | -rw-r--r-- |
|
3669
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
1 |
Errata patch for CVE-2014-9493. This addresses |
|
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
2 |
https://bugs.launchpad.net/ossa/+bug/1408663 and will be included in |
|
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
3 |
future releases. |
|
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
4 |
|
|
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
5 |
--- glance-2013.2.3/glance/store/__init__.py.orig 2015-01-20 12:17:34.009133229 -0800 |
|
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
6 |
+++ glance-2013.2.3/glance/store/__init__.py 2015-01-20 12:20:49.414482608 -0800 |
|
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
7 |
@@ -35,6 +35,8 @@ from glance.store import scrubber |
|
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
8 |
|
|
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
9 |
LOG = logging.getLogger(__name__) |
|
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
10 |
|
|
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
11 |
+RESTRICTED_URI_SCHEMAS = frozenset(['file', 'filesystem', 'swift+config']) |
|
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
12 |
+ |
|
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
13 |
store_opts = [ |
|
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
14 |
cfg.ListOpt('known_stores',
|
|
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
15 |
default=[ |
|
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
16 |
@@ -382,11 +384,11 @@ def validate_external_location(uri): |
|
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
17 |
:param uri: The URI of external image location. |
|
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
18 |
:return: Whether given URI of external image location are OK. |
|
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
19 |
""" |
|
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
20 |
- pieces = urlparse.urlparse(uri) |
|
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
21 |
- valid_schemes = [scheme for scheme in location.SCHEME_TO_CLS_MAP.keys() |
|
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
22 |
- if scheme != 'file' and scheme != 'swift+config'] |
|
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
23 |
- return pieces.scheme in valid_schemes |
|
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
24 |
|
|
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
25 |
+ # TODO(gm): Use a whitelist of allowed schemes |
|
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
26 |
+ scheme = urlparse.urlparse(uri).scheme |
|
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
27 |
+ return (scheme in get_known_schemes() and |
|
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
28 |
+ scheme not in RESTRICTED_URI_SCHEMAS) |
|
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
29 |
|
|
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
30 |
class ImageRepoProxy(glance.domain.proxy.Repo): |
|
91c379bcac7e
20388250 problem in SERVICE/GLANCE
Drew Fisher <drew.fisher@oracle.com>
parents:
diff
changeset
|
31 |