--- a/components/openstack/glance/patches/03-CVE-2014-0162.patch Fri Mar 20 22:56:27 2015 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,219 +0,0 @@
-This proposed upstream patch addresses CVE-2014-0162 and is tracked
-under Launchpad bug 1298698. Although it's been addressed in Icehouse
-2014.1, the patch below is still not yet released for Havana.
-
-commit 13069a4017d36a549576a21ca3ec5b15c411effc
-Author: Zhi Yan Liu <[email protected]>
-Date: Sat Mar 29 03:35:35 2014 +0800
-
- To prevent remote code injection on Sheepdog store
-
- Change-Id: Iae92eaf9eb023f36a1bab7c20ea41c985f2bf51b
- Signed-off-by: Zhi Yan Liu <[email protected]>
-
-diff --git a/glance/store/sheepdog.py b/glance/store/sheepdog.py
-index d10aea7..2f75441 100644
---- a/glance/store/sheepdog.py
-+++ b/glance/store/sheepdog.py
-@@ -25,6 +25,7 @@ from glance.common import exception
- from glance.openstack.common import excutils
- import glance.openstack.common.log as logging
- from glance.openstack.common import processutils
-+from glance.openstack.common import uuidutils
- import glance.store
- import glance.store.base
- import glance.store.location
-@@ -32,7 +33,7 @@ import glance.store.location
-
- LOG = logging.getLogger(__name__)
-
--DEFAULT_ADDR = 'localhost'
-+DEFAULT_ADDR = '127.0.0.1'
- DEFAULT_PORT = '7000'
- DEFAULT_CHUNKSIZE = 64 # in MiB
-
-@@ -63,18 +64,14 @@ class SheepdogImage:
- self.chunk_size = chunk_size
-
- def _run_command(self, command, data, *params):
-- cmd = ("collie vdi %(command)s -a %(addr)s -p %(port)s %(name)s "
-- "%(params)s" %
-- {"command": command,
-- "addr": self.addr,
-- "port": self.port,
-- "name": self.name,
-- "params": " ".join(map(str, params))})
-+ cmd = ["collie", "vdi"]
-+ cmd.extend(command)
-+ cmd.extend(["-a", self.addr, "-p", self.port, self.name])
-+ cmd.extend(params)
-
- try:
-- return processutils.execute(
-- cmd, process_input=data, shell=True)[0]
-- except processutils.ProcessExecutionError as exc:
-+ return processutils.execute(*cmd, process_input=data)[0]
-+ except (processutils.ProcessExecutionError, OSError) as exc:
- LOG.error(exc)
- raise glance.store.BackendException(exc)
-
-@@ -84,7 +81,7 @@ class SheepdogImage:
-
- Sheepdog Usage: collie vdi list -r -a address -p port image
- """
-- out = self._run_command("list -r", None)
-+ out = self._run_command(["list", "-r"], None)
- return long(out.split(' ')[3])
-
- def read(self, offset, count):
-@@ -94,7 +91,7 @@ class SheepdogImage:
-
- Sheepdog Usage: collie vdi read -a address -p port image offset len
- """
-- return self._run_command("read", None, str(offset), str(count))
-+ return self._run_command(["read"], None, str(offset), str(count))
-
- def write(self, data, offset, count):
- """
-@@ -103,7 +100,7 @@ class SheepdogImage:
-
- Sheepdog Usage: collie vdi write -a address -p port image offset len
- """
-- self._run_command("write", data, str(offset), str(count))
-+ self._run_command(["write"], data, str(offset), str(count))
-
- def create(self, size):
- """
-@@ -111,7 +108,7 @@ class SheepdogImage:
-
- Sheepdog Usage: collie vdi create -a address -p port image size
- """
-- self._run_command("create", None, str(size))
-+ self._run_command(["create"], None, str(size))
-
- def delete(self):
- """
-@@ -119,7 +116,7 @@ class SheepdogImage:
-
- Sheepdog Usage: collie vdi delete -a address -p port image
- """
-- self._run_command("delete", None)
-+ self._run_command(["delete"], None)
-
- def exist(self):
- """
-@@ -127,7 +124,7 @@ class SheepdogImage:
-
- Sheepdog Usage: collie vdi list -r -a address -p port image
- """
-- out = self._run_command("list -r", None)
-+ out = self._run_command(["list", "-r"], None)
- if not out:
- return False
- else:
-@@ -138,7 +135,7 @@ class StoreLocation(glance.store.location.StoreLocation):
- """
- Class describing a Sheepdog URI. This is of the form:
-
-- sheepdog://image
-+ sheepdog://image-id
-
- """
-
-@@ -149,10 +146,14 @@ class StoreLocation(glance.store.location.StoreLocation):
- return "sheepdog://%s" % self.image
-
- def parse_uri(self, uri):
-- if not uri.startswith('sheepdog://'):
-- raise exception.BadStoreUri(uri, "URI must start with %s://" %
-- 'sheepdog')
-- self.image = uri[11:]
-+ valid_schema = 'sheepdog://'
-+ if not uri.startswith(valid_schema):
-+ raise exception.BadStoreUri(_("URI must start with %s://") %
-+ valid_schema)
-+ self.image = uri[len(valid_schema):]
-+ if not uuidutils.is_uuid_like(self.image):
-+ raise exception.BadStoreUri(_("URI must contains well-formated "
-+ "image id"))
-
-
- class ImageIterator(object):
-@@ -192,7 +193,7 @@ class Store(glance.store.base.Store):
-
- try:
- self.chunk_size = CONF.sheepdog_store_chunk_size * 1024 * 1024
-- self.addr = CONF.sheepdog_store_address
-+ self.addr = CONF.sheepdog_store_address.strip()
- self.port = CONF.sheepdog_store_port
- except cfg.ConfigFileValueError as e:
- reason = _("Error in store configuration: %s") % e
-@@ -200,10 +201,18 @@ class Store(glance.store.base.Store):
- raise exception.BadStoreConfiguration(store_name='sheepdog',
- reason=reason)
-
-+ if ' ' in self.addr:
-+ reason = (_("Invalid address configuration of sheepdog store: %s")
-+ % self.addr)
-+ LOG.error(reason)
-+ raise exception.BadStoreConfiguration(store_name='sheepdog',
-+ reason=reason)
-+
- try:
-- processutils.execute("collie", shell=True)
-- except processutils.ProcessExecutionError as exc:
-- reason = _("Error in store configuration: %s") % exc
-+ cmd = ["collie", "vdi", "list", "-a", self.addr, "-p", self.port]
-+ processutils.execute(*cmd)
-+ except Exception as e:
-+ reason = _("Error in store configuration: %s") % e
- LOG.error(reason)
- raise exception.BadStoreConfiguration(store_name='sheepdog',
- reason=reason)
-diff --git a/glance/tests/unit/test_sheepdog_store.py b/glance/tests/unit/test_sheepdog_store.py
-index 8eef86b..bea7e29 100644
---- a/glance/tests/unit/test_sheepdog_store.py
-+++ b/glance/tests/unit/test_sheepdog_store.py
-@@ -57,4 +57,5 @@ class TestStore(base.StoreClearingUnitTest):
- 'fake_image_id',
- utils.LimitingReader(StringIO.StringIO('xx'), 1),
- 2)
-- self.assertEqual(called_commands, ['list -r', 'create', 'delete'])
-+ self.assertEqual([['list', '-r'], ['create'], ['delete']],
-+ called_commands)
-diff --git a/glance/tests/unit/test_store_location.py b/glance/tests/unit/test_store_location.py
-index 7eec171..2464ebb 100644
---- a/glance/tests/unit/test_store_location.py
-+++ b/glance/tests/unit/test_store_location.py
-@@ -52,7 +52,7 @@ class TestStoreLocation(base.StoreClearingUnitTest):
- 'rbd://imagename',
- 'rbd://fsid/pool/image/snap',
- 'rbd://%2F/%2F/%2F/%2F',
-- 'sheepdog://imagename',
-+ 'sheepdog://244e75f1-9c69-4167-9db7-1aa7d1973f6c',
- 'cinder://12345678-9012-3455-6789-012345678901',
- ]
-
-@@ -367,15 +367,18 @@ class TestStoreLocation(base.StoreClearingUnitTest):
- """
- Test the specific StoreLocation for the Sheepdog store
- """
-- uri = 'sheepdog://imagename'
-+ uri = 'sheepdog://244e75f1-9c69-4167-9db7-1aa7d1973f6c'
- loc = glance.store.sheepdog.StoreLocation({})
- loc.parse_uri(uri)
-- self.assertEqual('imagename', loc.image)
-+ self.assertEqual('244e75f1-9c69-4167-9db7-1aa7d1973f6c', loc.image)
-
-- bad_uri = 'sheepdog:/image'
-+ bad_uri = 'sheepdog:/244e75f1-9c69-4167-9db7-1aa7d1973f6c'
- self.assertRaises(exception.BadStoreUri, loc.parse_uri, bad_uri)
-
-- bad_uri = 'http://image'
-+ bad_uri = 'http://244e75f1-9c69-4167-9db7-1aa7d1973f6c'
-+ self.assertRaises(exception.BadStoreUri, loc.parse_uri, bad_uri)
-+
-+ bad_uri = 'image; name'
- self.assertRaises(exception.BadStoreUri, loc.parse_uri, bad_uri)
-
- def test_cinder_store_good_location(self):