20388250 problem in SERVICE/GLANCE
authorDrew Fisher <drew.fisher@oracle.com>
Thu, 22 Jan 2015 11:26:32 -0800
changeset 3669 91c379bcac7e
parent 3667 9281a3b8df2d
child 3671 91f76aae1155
20388250 problem in SERVICE/GLANCE
components/openstack/glance/patches/08-CVE-2015-1195.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openstack/glance/patches/08-CVE-2015-1195.patch	Thu Jan 22 11:26:32 2015 -0800
@@ -0,0 +1,31 @@
+Errata patch for CVE-2014-9493.  This addresses
+https://bugs.launchpad.net/ossa/+bug/1408663 and will be included in
+future releases.
+
+--- glance-2013.2.3/glance/store/__init__.py.orig	2015-01-20 12:17:34.009133229 -0800
++++ glance-2013.2.3/glance/store/__init__.py	2015-01-20 12:20:49.414482608 -0800
[email protected]@ -35,6 +35,8 @@ from glance.store import scrubber
+
+ LOG = logging.getLogger(__name__)
+
++RESTRICTED_URI_SCHEMAS = frozenset(['file', 'filesystem', 'swift+config'])
++
+ store_opts = [
+     cfg.ListOpt('known_stores',
+                 default=[
[email protected]@ -382,11 +384,11 @@ def validate_external_location(uri):
+     :param uri: The URI of external image location.
+     :return: Whether given URI of external image location are OK.
+     """
+-    pieces = urlparse.urlparse(uri)
+-    valid_schemes = [scheme for scheme in location.SCHEME_TO_CLS_MAP.keys()
+-                     if scheme != 'file' and scheme != 'swift+config']
+-    return pieces.scheme in valid_schemes
+
++    # TODO(gm): Use a whitelist of allowed schemes
++    scheme = urlparse.urlparse(uri).scheme
++    return (scheme in get_known_schemes() and
++            scheme not in RESTRICTED_URI_SCHEMAS)
+
+ class ImageRepoProxy(glance.domain.proxy.Repo):
+