Upstream patch to address CVE-2017-7214.  We assume 'circural' below

is a typo for 'circular' but we took the comment verbatim from

upstream.  This patch is modified slightly to work with OpenStack Kilo

which is EOL'd upstream.

From 305cdb38db47258909ef83d5918c7c85ef9d7a5b Mon Sep 17 00:00:00 2001

From: Balazs Gibizer <[email protected]>

Date: Fri, 17 Mar 2017 11:24:49 +0100

Subject: [PATCH] do not include context to exception notification

The wrap_exception decorator optionally emited a notification.

Based on the code comments the original intention was not to include the

context to that notification due to security reasons. However the

implementation did included the context to the payload of the legacy

notification.

Recently we saw circural reference errors during the payload serialization

of this notification. Based on the logs the only complex data structure

that could cause circural reference is the context. So this patch

removes the context from the legacy exception notification.

The versioned exception notification is not affected as it does not

contain the args of the decorated function.

Closes-Bug: #1673375

--- nova-2015.1.2/nova/exception.py.orig	2017-03-23 16:30:19.897009405 +0000

+++ nova-2015.1.2/nova/exception.py	2017-03-23 16:33:57.530985808 +0000

@@ -75,6 +75,10 @@ def wrap_exception(notifier=None, get_no

                         payload = dict(exception=e)

                         call_dict = safe_utils.getcallargs(f, context,

                                                            *args, **kw)

+                        # NOTE(gibi) remove context as well as it contains

+                        # sensitive information and it can also contain

+                        # circular references

+                        call_dict.pop('context', None)

                         cleansed = _cleanse_dict(call_dict)

                         payload.update({'args': cleansed})