yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1297414] Re: Users can set arbitrary headers by adding newlines to header values

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Ian Cordasco <sigmavirus24@xxxxxxxxx>
Date: Tue, 31 Jan 2017 15:41:02 -0000
Reply-to: Bug 1297414 <1297414@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

The underlying HTTP transport for glanceclient no longer allows users to
send or receive headers like this. This is fixed in newer versions of
glanceclient which rely on those newer versions of requests.

** Changed in: python-glanceclient
       Status: New => Fix Released

** Changed in: glance
       Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1297414

Title:
  Users can set arbitrary headers by adding newlines to header values

Status in Glance:
  Won't Fix
Status in Glance Client:
  Fix Released

Bug description:
  Glance and the python-glanceclient (v1) do not armor/sanitize their
  inputs when assembling headers.  In particular, "x-image-meta-
  property-description" is exposed via interfaces like Horizon (which
  still uses v1) as a free-form text field, (Unicode, newlines, etc.
  allowed) and if users introduce newlines, the glanceclient will POST
  them to Glance verbatim without any extra encoding, which means
  maliciously/incompetently constructed Description: values can set
  header values that the client otherwise would not.

  I can't really see anything in the code that uses HTTP headers to set
  any sort of security context, but this could just be a lack of
  imagination on my part.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1297414/+subscriptions