calculate
/
gentoo-overlay
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '05e5f04ae2'
${ noResults }
gentoo-overlay/app-admin/glance/files/glance-folsom-3-CVE-2013-18...

33 lines
1.0 KiB
Raw Blame History

From dd849a9be540bedd4fd904cc0b86ccd9c3e34af2 Mon Sep 17 00:00:00 2001
From: Stuart McLaren <stuart.mclaren@hp.com>
Date: Thu, 14 Mar 2013 13:43:36 +0000
Subject: [PATCH] Do not return location in headers
In some cases credentials were being leaked when downloading a cached
v1 image.
Fixes bug 1135541, CVE-2013-1840
Change-Id: I3ec0a8f484fe1bdc32c3c56fce810fcef347a7f6
---
glance/api/middleware/cache.py | 3 +++
1 file changed, 3 insertions(+)
diff --git a/glance/api/middleware/cache.py b/glance/api/middleware/cache.py
index 8e24ef0..dcd59b6 100644
--- a/glance/api/middleware/cache.py
+++ b/glance/api/middleware/cache.py
@@ -111,6 +111,9 @@ class CacheFilter(wsgi.Middleware):
def _process_v1_request(self, request, image_id, image_iterator):
image_meta = registry.get_image_metadata(request.context, image_id)
+ # Don't display location
+ if 'location' in image_meta:
+ del image_meta['location']
if not image_meta['size']:
# override image size metadata with the actual cached
--
1.8.1.5
Reference in new issue View Git Blame Copy Permalink