yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #70099
[Bug 1261893] Re: glance image-create --location doesn't fail with bad URLs
Marking it as Won't Fix in horizon too.
The horizon patch was marked as -2 three years ago and it was abandoned.
The reason of -2 clearly describes the reason. I quoted it for clarification.
----
Keieran is absolutely right in pointing out the CVE that led to us outright removing this from Django.
I responded to the thread on the ML as well, but for posterity let me
add my reply here as well:
Adding this to Horizon is a no-go.
Django removed the “verify_exists” option from URLField in Django 1.5
for very good reasons. Here’s the release notes summary:
“django.db.models.fields.URLField.verify_exists will be removed. The
feature was deprecated in 1.3.1 due to intractable security and
performance issues and will follow a slightly accelerated deprecation
timeframe.”
Note that “intractable security issues” bit. Doing this type of
validation server-side opens you up to some nasty DoS attacks and simply
shouldn’t be done.
If you have further questions, I recommend talking to Paul McMillan, who
was the original reporter of the security issues with “verify_exists” in
Django.
FWIW, I say let Glance deal with the security problems associated with fetching arbitrary URLs. Horizon can still provide a good user experience just with some improved wording in the user-facing messages.
----
** Changed in: horizon
Status: Confirmed => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1261893
Title:
glance image-create --location doesn't fail with bad URLs
Status in OpenStack Dashboard (Horizon):
Won't Fix
Status in Glance Client:
Won't Fix
Bug description:
I ran the command below, then realized that the URL is bad, there's no
server there. Instead of throwing an error, it blindly created another
image of size ''. Didn't see anything in the recent commits for it,
this is on Ubuntu 12.04.
python-glanceclient 1:0.11.0-0ubuntu1~cloud0
Client library for Openstack glance server.
root@larry:~# glance image-create --name cirros --is-public true --container-format bare --disk-format qcow2 --location http://10.0.0.1:9630/isos/cirros-0.3.0-x86_64-disk.img
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | None |
| container_format | bare |
| created_at | 2013-12-17T19:20:57 |
| deleted | False |
| deleted_at | None |
| disk_format | qcow2 |
| id | 93ca9d12-f9c9-4ef1-a12a-192cc2251da3 |
| is_public | True |
| min_disk | 0 |
| min_ram | 0 |
| name | cirros |
| owner | 9db5a2b06743410eb506384f19ae7db7 |
| protected | False |
| size | 0 |
| status | active |
| updated_at | 2013-12-17T19:20:57 |
+------------------+--------------------------------------+
root@larry:~# glance image-list
+--------------------------------------+--------+-------------+------------------+------+--------+
| ID | Name | Disk Format | Container Format | Size | Status |
+--------------------------------------+--------+-------------+------------------+------+--------+
| 93ca9d12-f9c9-4ef1-a12a-192cc2251da3 | cirros | qcow2 | bare | | active |
+--------------------------------------+--------+-------------+------------------+------+--------+
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1261893/+subscriptions
