The Nova api permits any possible hostname, including for example "../.." or "; --" or "hostname.openstack.org"
Bug #1888722 reported by
Andrew Bogott
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Invalid
|
Undecided
|
Unassigned | ||
OpenStack Security Advisory |
Invalid
|
Undecided
|
Unassigned |
Bug Description
I have a long-standing bug in my internal bug tracker expressing concern that the following server names are valid:
foo"]; --
../..
I note that there are also a couple of existing bugs (1581977 and 1655563) describing a bad interaction with the Neutron integration api for hosts with a '.' in the name.
I propose a new config option:
[api]
permitted_
That would allow people using neutron integration to disallow dots in names, and I would rest easier knowing that I'd also ruled out slashes, ampersands and semicolons.
To post a comment you must log in.
Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.