Prohibit file injection writing to host filesystem

This is a refinement of the previous fix in commit 2427d4a9, which does the file name canonicalization as the root user. This is required so that guest images could not for example, protect malicious symlinks in a directory only readable by root. Fixes bug: 1031311, CVE-2012-3447 Change-Id: I7f7cdeeffadebae7451e1e13f73f1313a7df9c5c
author: Pádraig Brady <pbrady@redhat.com> 2012-07-31 14:05:35 +0100
committer: Pádraig Brady <pbrady@redhat.com> 2012-08-07 20:02:06 +0100
commit: ce4b2e27be45a85b310237615c47eb53f37bb5f3 (patch)
tree: 1d235965a3f5773ab5d7e7588e5c0b4768b05281 /nova/virt
parent: 9d753f18e1c5e4eaa4021f64ac9fe14ef1103b71 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/nova/virt/disk/api.py b/nova/virt/disk/api.py
index 373c4fa52..5d3c9c6c9 100644
--- a/nova/virt/disk/api.py
+++ b/nova/virt/disk/api.py
@@ -363,7 +363,9 @@ def _join_and_check_path_within_fs(fs, *args):
     mounted guest fs.  Trying to be clever and specifying a
     path with '..' in it will hit this safeguard.
     '''
-    absolute_path = os.path.realpath(os.path.join(fs, *args))
+    absolute_path, _err = utils.execute('readlink', '-nm',
+                                        os.path.join(fs, *args),
+                                        run_as_root=True)
     if not absolute_path.startswith(os.path.realpath(fs) + '/'):
         raise exception.Invalid(_('injected file path not valid'))
     return absolute_path
author	Pádraig Brady <pbrady@redhat.com>	2012-07-31 14:05:35 +0100
committer	Pádraig Brady <pbrady@redhat.com>	2012-08-07 20:02:06 +0100
commit	ce4b2e27be45a85b310237615c47eb53f37bb5f3 (patch)
tree	1d235965a3f5773ab5d7e7588e5c0b4768b05281 /nova/virt
parent	9d753f18e1c5e4eaa4021f64ac9fe14ef1103b71 (diff)