yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1098962] Re: [OSSA 2013-002] glance image-download can display backend Swift password

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Fri, 24 May 2013 12:58:05 -0000
Reply-to: Bug 1098962 <1098962@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Summary changed:

- glance image-download can display backend Swift password
+ [OSSA 2013-002] glance image-download can display backend Swift password

** Also affects: ossa
   Importance: Undecided
       Status: New

** Changed in: ossa
       Status: New => Fix Released

** Changed in: ossa
     Assignee: (unassigned) => Thierry Carrez (ttx)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1098962

Title:
  [OSSA 2013-002] glance image-download can display backend Swift
  password

Status in OpenStack Image Registry and Delivery Service (Glance):
  Fix Released
Status in Glance essex series:
  Fix Committed
Status in Glance folsom series:
  Fix Released
Status in Glance grizzly series:
  Fix Released
Status in OpenStack Security Advisories:
  Fix Released

Bug description:
  Using the latest release of Glance Grizzly (git 2d9b3f1)  on Fedora
  17.

  It appears that Glance can return a 404 message which contains the
  backend Swift store password when there are errors obtaining the image
  from Swift.

  Example:

  [root@nova1 image]# glance image-download foo
  Request returned failure status.
  404 Not Found
  Swift could not find image at uri swift+http://admin%3Aadmin:AABBCC112233@127.0.0.1:5000/v2.0/glance/b0bd4daf-0cef-448e-b5f2-3033d0f5a73a
      (HTTP 404)

  ----

  The above could happen for any user that can access the Glance server.

  A simple way to replicate this is to do something like this:

  1) Setup Glance using Swift as a backend (single tenant mode).

  2)  Remove or block an image from the swift account where images are
  stored.

  3) Attempt to download the same image (which you removed from Swift)
  from Glance.

  ---

  The root cause of the issue appears to be that the Swift store can
  raise NotFound exceptions with the backend location URI in them.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1098962/+subscriptions