Mercurial Mercurial > upstream > oracle > userland-gate / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/openstack/glance/patches/08-CVE-2015-1195.patch
author Drew Fisher <drew.fisher@oracle.com>
Thu, 22 Jan 2015 11:26:32 -0800
changeset 3669 91c379bcac7e
child 3700 86697167a9fb
permissions -rw-r--r--
20388250 problem in SERVICE/GLANCE

Errata patch for CVE-2014-9493.  This addresses
https://bugs.launchpad.net/ossa/+bug/1408663 and will be included in
future releases.

--- glance-2013.2.3/glance/store/__init__.py.orig	2015-01-20 12:17:34.009133229 -0800
+++ glance-2013.2.3/glance/store/__init__.py	2015-01-20 12:20:49.414482608 -0800
@@ -35,6 +35,8 @@ from glance.store import scrubber

 LOG = logging.getLogger(__name__)

+RESTRICTED_URI_SCHEMAS = frozenset(['file', 'filesystem', 'swift+config'])
+
 store_opts = [
     cfg.ListOpt('known_stores',
                 default=[
@@ -382,11 +384,11 @@ def validate_external_location(uri):
     :param uri: The URI of external image location.
     :return: Whether given URI of external image location are OK.
     """
-    pieces = urlparse.urlparse(uri)
-    valid_schemes = [scheme for scheme in location.SCHEME_TO_CLS_MAP.keys()
-                     if scheme != 'file' and scheme != 'swift+config']
-    return pieces.scheme in valid_schemes

+    # TODO(gm): Use a whitelist of allowed schemes
+    scheme = urlparse.urlparse(uri).scheme
+    return (scheme in get_known_schemes() and
+            scheme not in RESTRICTED_URI_SCHEMAS)

 class ImageRepoProxy(glance.domain.proxy.Repo):
upstream/oracle/userland-gate