adding check for serverRef hostname matching app url

2 files changed, 24 insertions, 7 deletions

diff --git a/nova/api/openstack/images.py b/nova/api/openstack/images.py
index 4a09060c9..d43340e10 100644
--- a/nova/api/openstack/images.py
+++ b/nova/api/openstack/images.py
@@ -101,7 +101,7 @@ class Controller(object):
             raise webob.exc.HTTPBadRequest()
 
         try:
-            server_id = self._server_id_from_req_data(body)
+            server_id = self._server_id_from_req(req, body)
             image_name = body["image"]["name"]
         except KeyError:
             raise webob.exc.HTTPBadRequest()
@@ -116,7 +116,7 @@ class Controller(object):
         """Indicates that you must use a Controller subclass."""
         raise NotImplementedError
 
-    def _server_id_from_req_data(self, data):
+    def _server_id_from_req(self, req, data):
         raise NotImplementedError()
 
     def _get_extra_properties(self, req, data):
@@ -157,7 +157,7 @@ class ControllerV10(Controller):
         builder = self.get_builder(req).build
         return dict(images=[builder(image, detail=True) for image in images])
 
-    def _server_id_from_req_data(self, data):
+    def _server_id_from_req(self, req, data):
         try:
             return data['image']['serverId']
         except KeyError:
@@ -201,14 +201,20 @@ class ControllerV11(Controller):
         builder = self.get_builder(req).build
         return dict(images=[builder(image, detail=True) for image in images])
 
-    def _server_id_from_req_data(self, data):
+    def _server_id_from_req(self, req, data):
         try:
             server_ref = data['image']['serverRef']
         except KeyError:
             msg = _("Expected serverRef attribute on server entity.")
             raise webob.exc.HTTPBadRequest(explanation=msg)
 
-        return os.path.split(server_ref)[1]
+        head, tail = os.path.split(server_ref)
+
+        if head and head != os.path.join(req.application_url, 'servers'):
+            msg = _("serverRef must match request url")
+            raise webob.exc.HTTPBadRequest(explanation=msg)
+
+        return tail
 
     def _get_extra_properties(self, req, data):
         server_ref = data['image']['serverRef']
diff --git a/nova/tests/api/openstack/test_images.py b/nova/tests/api/openstack/test_images.py
index 06983893a..deef5d235 100644
--- a/nova/tests/api/openstack/test_images.py
+++ b/nova/tests/api/openstack/test_images.py
@@ -1028,9 +1028,9 @@ class ImageControllerWithGlanceServiceTest(test.TestCase):
         response = req.get_response(fakes.wsgi_app())
         self.assertEqual(200, response.status_int)
 
-    def test_create_image_v1_1_actual_serverRef(self):
+    def test_create_image_v1_1_actual_server_ref(self):
 
-        serverRef = 'http://localhost:8774/v1.1/servers/1'
+        serverRef = 'http://localhost/v1.1/servers/1'
         body = dict(image=dict(serverRef=serverRef, name='Backup 1'))
         req = webob.Request.blank('/v1.1/images')
         req.method = 'POST'
@@ -1041,6 +1041,17 @@ class ImageControllerWithGlanceServiceTest(test.TestCase):
         result = json.loads(response.body)
         self.assertEqual(result['image']['serverRef'], serverRef)
 
+    def test_create_image_v1_1_server_ref_bad_hostname(self):
+
+        serverRef = 'http://asdf/v1.1/servers/1'
+        body = dict(image=dict(serverRef=serverRef, name='Backup 1'))
+        req = webob.Request.blank('/v1.1/images')
+        req.method = 'POST'
+        req.body = json.dumps(body)
+        req.headers["content-type"] = "application/json"
+        response = req.get_response(fakes.wsgi_app())
+        self.assertEqual(400, response.status_int)
+
     def test_create_image_v1_1_xml_serialization(self):
 
         body = dict(image=dict(serverRef='123', name='Backup 1'))