yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1888722] Re: The Nova api permits any possible hostname, including for example "../.." or "; --" or "hostname.openstack.org"

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Balazs Gibizer <1888722@xxxxxxxxxxxxxxxxxx>
Date: Thu, 27 Aug 2020 08:57:40 -0000
Reply-to: Bug 1888722 <1888722@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Marking this as INVALID. Please set it back to NEW if you disagree.

** Changed in: nova
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1888722

Title:
  The Nova api permits any possible hostname, including for example
  "../.." or "; --" or "hostname.openstack.org"

Status in OpenStack Compute (nova):
  Invalid
Status in OpenStack Security Advisory:
  Invalid

Bug description:
  I have a long-standing bug in my internal bug tracker expressing
  concern that the following server names are valid:

  foo"]; --
  ../..

  I note that there are also a couple of existing bugs (1581977 and
  1655563) describing a bad interaction with the Neutron integration api
  for hosts with a '.' in the name.

  I propose a new config option:

  [api]
  permitted_servername_regex

  That would allow people using neutron integration to disallow dots in
  names, and I would rest easier knowing that I'd also ruled out
  slashes, ampersands and semicolons.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1888722/+subscriptions