yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1297414] Re: Users can set arbitrary headers by adding newlines to header values

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Nicolas Simonds <1297414@xxxxxxxxxxxxxxxxxx>
Date: Tue, 25 Mar 2014 17:31:37 -0000
Reply-to: Bug 1297414 <1297414@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Also affects: python-glanceclient
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1297414

Title:
  Users can set arbitrary headers by adding newlines to header values

Status in OpenStack Image Registry and Delivery Service (Glance):
  New
Status in Python client library for Glance:
  New

Bug description:
  Glance and the python-glanceclient (v1) do not armor/sanitize their
  inputs when assembling headers.  In particular, "x-image-meta-
  property-description" is exposed via interfaces like Horizon (which
  still uses v1) as a free-form text field, (Unicode, newlines, etc.
  allowed) and if users introduce newlines, the glanceclient will POST
  them to Glance verbatim without any extra encoding, which means
  maliciously/incompetently constructed Description: values can set
  header values that the client otherwise would not.

  I can't really see anything in the code that uses HTTP headers to set
  any sort of security context, but this could just be a lack of
  imagination on my part.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1297414/+subscriptions