Mercurial Mercurial > upstream > oracle > userland-gate / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/openstack/heat/patches/01-CVE-2014-3801.patch
author Drew Fisher <drew.fisher@oracle.com>
Tue, 05 Aug 2014 08:29:43 -0600
changeset 2025 8dbf23e740f2
permissions -rw-r--r--
PSARC/2014/236 OpenStack Heat (OpenStack Orchestration Service) 19120578 Request to integrate Heat into userland

Patch for Upstream bug 1311223.  This addresses CVE-2014-3801.  It has
been fixed in Icehouse 2014.1.1 and Havana 2013.2.4.

From 7e114a38712da8947ee7ad93eabda34f5e4aa65a Mon Sep 17 00:00:00 2001
From: Angus Salkeld <[email protected]>
Date: Thu, 1 May 2014 11:20:55 +1000
Subject: Don't dynamically create provider types in the global env

Only support this in user environments.
Note: this is only when you have the following in your template
resources:
  thingy:
    type: http://example.com/foo.template

Doing this will avoid tenant-specific provider template URLs being
shown globally in the resource-type listing.

Co-Authored-By: Angus Salkeld <[email protected]>
Closes-Bug: #1311223
Change-Id: Ifa18108afacbda390b19b46a8f41bc4f018e95d6
(cherry picked from commit a02ff20509171346d2a1d2a9df7c81aada134c52)

diff --git a/heat/engine/environment.py b/heat/engine/environment.py
index 6dd73f0..db9f2e2 100644
--- a/heat/engine/environment.py
+++ b/heat/engine/environment.py
@@ -187,7 +187,10 @@ class ResourceRegistry(object):
         registry[name] = info
 
     def iterable_by(self, resource_type, resource_name=None):
-        if resource_type.endswith(('.yaml', '.template')):
+        is_templ_type = resource_type.endswith(('.yaml', '.template'))
+        if self.global_registry is not None and is_templ_type:
+            # we only support dynamic resource types in user environments
+            # not the global environment.
             # resource with a Type == a template
             # we dynamically create an entry as it has not been registered.
             if resource_type not in self._registry:
diff --git a/heat/tests/test_provider_template.py b/heat/tests/test_provider_template.py
index 500cc59..e2af880 100644
--- a/heat/tests/test_provider_template.py
+++ b/heat/tests/test_provider_template.py
@@ -398,6 +398,8 @@ class ProviderTemplateTest(HeatTestCase):
             self.assertIn(attrib, templ_resource.attributes)
         for k, v in json_snippet.get("Properties").items():
             self.assertEqual(v, templ_resource.properties[k])
+        self.assertNotIn('WordPress_Single_Instance.yaml',
+                         resources.global_env().registry._registry)
 
     def test_system_template_retrieve_by_file(self):
         # make sure that a TemplateResource defined in the global environment
-- 
cgit v0.10.1
upstream/oracle/userland-gate