1 Errata patch for CVE-2014-9493.  This addresses

     2 https://bugs.launchpad.net/ossa/+bug/1408663 and will be included in

     3 future releases.

     4 

     5 --- glance-2013.2.3/glance/store/__init__.py.orig	2015-01-20 12:17:34.009133229 -0800

     6 +++ glance-2013.2.3/glance/store/__init__.py	2015-01-20 12:20:49.414482608 -0800

     7 @@ -35,6 +35,8 @@ from glance.store import scrubber

     8 

     9  LOG = logging.getLogger(__name__)

    10 

    11 +RESTRICTED_URI_SCHEMAS = frozenset(['file', 'filesystem', 'swift+config'])

    12 +

    13  store_opts = [

    14      cfg.ListOpt('known_stores',

    15                  default=[

    16 @@ -382,10 +384,10 @@ def validate_external_location(uri):

    17      :param uri: The URI of external image location.

    18      :return: Whether given URI of external image location are OK.

    19      """

    20 -    pieces = urlparse.urlparse(uri)

    21 -    valid_schemes = [scheme for scheme in location.SCHEME_TO_CLS_MAP.keys()

    22 -                     if scheme != 'file' and scheme != 'swift+config']

    23 -    return pieces.scheme in valid_schemes

    24 +    # TODO(gm): Use a whitelist of allowed_schemes

    25 +    known_schemes = [scheme for scheme in location.SCHEME_TO_CLS_MAP.keys()]

    26 +    scheme = urlparse.urlparse(uri).scheme

    27 +    return (scheme in known_schemes and scheme not in RESTRICTED_URI_SCHEMAS)