* CVE-2014-3801: heat: User's provider templates show up in listing of

    resource types globally across tenants. Applied upstream patch:
    Dont_dynamically_create_provider_types_in_the_global_env.patch
    (Closes: #748824).

Rewritten-From: 5b0ee7f20c79ddaab0db6d841a2aa01e7fc39c8b

diff --git a/trusty/debian/changelog b/trusty/debian/changelog
index 4cc17d931dd5db973da975d0b49c3dce3aa1d7d3..3436b1dabfebc31e81e1229dc5a8fdf0f024cff6 100644 (file)
--- a/trusty/debian/changelog
+++ b/trusty/debian/changelog
@@ -1,6 +1,10 @@
 heat (2014.1-4) unstable; urgency=medium
 
   * Refreshed fix-default-db.patch.
+  * CVE-2014-3801: heat: User's provider templates show up in listing of
+    resource types globally across tenants. Applied upstream patch:
+    Dont_dynamically_create_provider_types_in_the_global_env.patch
+    (Closes: #748824).
 
  -- Thomas Goirand <zigo@debian.org>  Wed, 21 May 2014 16:02:56 +0800
 

diff --git a/trusty/debian/patches/Dont_dynamically_create_provider_types_in_the_global_env.patch b/trusty/debian/patches/Dont_dynamically_create_provider_types_in_the_global_env.patch
new file mode 100644 (file)
index 0000000..7613fa6
--- /dev/null
+++ b/trusty/debian/patches/Dont_dynamically_create_provider_types_in_the_global_env.patch
@@ -0,0 +1,44 @@
+Subject: CVE-2014-3801: Don't dynamically create provider types in the global env
+ Only support this in user environments.
+ Note: this is only when you have the following in your template
+ resources:
+   thingy:
+     type: http://example.com/foo.template
+ .
+ Doing this will avoid tenant-specific provider template URLs being shown
+ globally in the resource-type listing.
+Author: Angus Salkeld <angus.salkeld@rackspace.com>
+Date: Thu, 1 May 2014 01:20:55 +0000 (+1000)
+X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fheat.git;a=commitdiff_plain;h=a02ff20509171346d2a1d2a9df7c81aada134c52
+Bug-Ubuntu: https://launchpad.net/bugs/1311223
+Change-Id: Ifa18108afacbda390b19b46a8f41bc4f018e95d6
+
+Index: heat/heat/engine/environment.py
+===================================================================
+--- heat.orig/heat/engine/environment.py       2014-04-14 16:36:22.000000000 +0800
++++ heat/heat/engine/environment.py    2014-05-21 16:05:44.000000000 +0800
+@@ -218,7 +218,10 @@
+         registry[name] = info
+ 
+     def iterable_by(self, resource_type, resource_name=None):
+-        if resource_type.endswith(('.yaml', '.template')):
++        is_templ_type = resource_type.endswith(('.yaml', '.template'))
++        if self.global_registry is not None and is_templ_type:
++            # we only support dynamic resource types in user environments
++            # not the global environment.
+             # resource with a Type == a template
+             # we dynamically create an entry as it has not been registered.
+             if resource_type not in self._registry:
+Index: heat/heat/tests/test_provider_template.py
+===================================================================
+--- heat.orig/heat/tests/test_provider_template.py     2014-04-14 16:36:22.000000000 +0800
++++ heat/heat/tests/test_provider_template.py  2014-05-21 16:05:44.000000000 +0800
+@@ -432,6 +432,8 @@
+             {'WordPress_Single_Instance.yaml':
+              'WordPress_Single_Instance.yaml', 'resources': {}},
+             stack.env.user_env_as_dict()["resource_registry"])
++        self.assertNotIn('WordPress_Single_Instance.yaml',
++                         resources.global_env().registry._registry)
+ 
+     def test_persisted_unregistered_provider_templates(self):
+         """

diff --git a/trusty/debian/patches/series b/trusty/debian/patches/series
index 1ebe602d2a6bd765859366ac0f79c959ed072681..d31c46743bfc0de48e6d8e0780ef2b6c512cdc86 100644 (file)
--- a/trusty/debian/patches/series
+++ b/trusty/debian/patches/series
@@ -1 +1,2 @@
 fix-default-db.patch
+Dont_dynamically_create_provider_types_in_the_global_env.patch