yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1061331] Re: when context.owner == None, all images are displayed

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Thu, 04 Apr 2013 09:47:38 -0000
Reply-to: Bug 1061331 <1061331@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: glance/grizzly
   Importance: Undecided => Low

** Changed in: glance/grizzly
       Status: New => Fix Released

** Changed in: glance/grizzly
    Milestone: None => 2013.1

** Changed in: glance/grizzly
     Assignee: (unassigned) => Mark Washenberger (markwash)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1061331

Title:
  when context.owner == None, all images are displayed

Status in OpenStack Image Registry and Delivery Service (Glance):
  Fix Released
Status in Glance grizzly series:
  Fix Released

Bug description:
  In glance.sqlalchemy.db.api, if you call image_get_all with a context
  where context.owner == None, then the function can potentially return
  all images even if it is not an admin context.

  This may not be a security problem, as it may be impossible in any
  reasonable real case to have context.owner == None. However, this
  seems both counterintuitive and very dangerous, where if some other
  bug allowed a request to come in without an owner, private images
  would be visible.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1061331/+subscriptions