From: Thomas Goirand Date: Wed, 21 May 2014 08:07:41 +0000 (+0800) Subject: * CVE-2014-3801: heat: User's provider templates show up in listing of X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=53ff26aed6165f031367238a21eb65d27ec61544;p=openstack-build%2Fheat-build.git * CVE-2014-3801: heat: User's provider templates show up in listing of resource types globally across tenants. Applied upstream patch: Dont_dynamically_create_provider_types_in_the_global_env.patch (Closes: #748824). Rewritten-From: 5b0ee7f20c79ddaab0db6d841a2aa01e7fc39c8b --- diff --git a/trusty/debian/changelog b/trusty/debian/changelog index 4cc17d93..3436b1da 100644 --- a/trusty/debian/changelog +++ b/trusty/debian/changelog @@ -1,6 +1,10 @@ heat (2014.1-4) unstable; urgency=medium * Refreshed fix-default-db.patch. + * CVE-2014-3801: heat: User's provider templates show up in listing of + resource types globally across tenants. Applied upstream patch: + Dont_dynamically_create_provider_types_in_the_global_env.patch + (Closes: #748824). -- Thomas Goirand Wed, 21 May 2014 16:02:56 +0800 diff --git a/trusty/debian/patches/Dont_dynamically_create_provider_types_in_the_global_env.patch b/trusty/debian/patches/Dont_dynamically_create_provider_types_in_the_global_env.patch new file mode 100644 index 00000000..7613fa65 --- /dev/null +++ b/trusty/debian/patches/Dont_dynamically_create_provider_types_in_the_global_env.patch @@ -0,0 +1,44 @@ +Subject: CVE-2014-3801: Don't dynamically create provider types in the global env + Only support this in user environments. + Note: this is only when you have the following in your template + resources: + thingy: + type: http://example.com/foo.template + . + Doing this will avoid tenant-specific provider template URLs being shown + globally in the resource-type listing. +Author: Angus Salkeld +Date: Thu, 1 May 2014 01:20:55 +0000 (+1000) +X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fheat.git;a=commitdiff_plain;h=a02ff20509171346d2a1d2a9df7c81aada134c52 +Bug-Ubuntu: https://launchpad.net/bugs/1311223 +Change-Id: Ifa18108afacbda390b19b46a8f41bc4f018e95d6 + +Index: heat/heat/engine/environment.py +=================================================================== +--- heat.orig/heat/engine/environment.py 2014-04-14 16:36:22.000000000 +0800 ++++ heat/heat/engine/environment.py 2014-05-21 16:05:44.000000000 +0800 +@@ -218,7 +218,10 @@ + registry[name] = info + + def iterable_by(self, resource_type, resource_name=None): +- if resource_type.endswith(('.yaml', '.template')): ++ is_templ_type = resource_type.endswith(('.yaml', '.template')) ++ if self.global_registry is not None and is_templ_type: ++ # we only support dynamic resource types in user environments ++ # not the global environment. + # resource with a Type == a template + # we dynamically create an entry as it has not been registered. + if resource_type not in self._registry: +Index: heat/heat/tests/test_provider_template.py +=================================================================== +--- heat.orig/heat/tests/test_provider_template.py 2014-04-14 16:36:22.000000000 +0800 ++++ heat/heat/tests/test_provider_template.py 2014-05-21 16:05:44.000000000 +0800 +@@ -432,6 +432,8 @@ + {'WordPress_Single_Instance.yaml': + 'WordPress_Single_Instance.yaml', 'resources': {}}, + stack.env.user_env_as_dict()["resource_registry"]) ++ self.assertNotIn('WordPress_Single_Instance.yaml', ++ resources.global_env().registry._registry) + + def test_persisted_unregistered_provider_templates(self): + """ diff --git a/trusty/debian/patches/series b/trusty/debian/patches/series index 1ebe602d..d31c4674 100644 --- a/trusty/debian/patches/series +++ b/trusty/debian/patches/series @@ -1 +1,2 @@ fix-default-db.patch +Dont_dynamically_create_provider_types_in_the_global_env.patch