Errata patch for CVE-2014-9493. This addresses
https://bugs.launchpad.net/ossa/+bug/1408663 and will be included in
future releases.
--- glance-2013.2.3/glance/store/__init__.py.orig 2015-01-20 12:17:34.009133229 -0800
+++ glance-2013.2.3/glance/store/__init__.py 2015-01-20 12:20:49.414482608 -0800
@@ -35,6 +35,8 @@ from glance.store import scrubber
LOG = logging.getLogger(__name__)
+RESTRICTED_URI_SCHEMAS = frozenset(['file', 'filesystem', 'swift+config'])
+
store_opts = [
cfg.ListOpt('known_stores',
default=[
@@ -382,10 +384,10 @@ def validate_external_location(uri):
:param uri: The URI of external image location.
:return: Whether given URI of external image location are OK.
"""
- pieces = urlparse.urlparse(uri)
- valid_schemes = [scheme for scheme in location.SCHEME_TO_CLS_MAP.keys()
- if scheme != 'file' and scheme != 'swift+config']
- return pieces.scheme in valid_schemes
+ # TODO(gm): Use a whitelist of allowed_schemes
+ known_schemes = [scheme for scheme in location.SCHEME_TO_CLS_MAP.keys()]
+ scheme = urlparse.urlparse(uri).scheme
+ return (scheme in known_schemes and scheme not in RESTRICTED_URI_SCHEMAS)