From ce4b2e27be45a85b310237615c47eb53f37bb5f3 Mon Sep 17 00:00:00 2001
From: Pádraig Brady <pbrady@redhat.com>
Date: Tue, 31 Jul 2012 14:05:35 +0100
Subject: Prohibit file injection writing to host filesystem

This is a refinement of the previous fix in commit 2427d4a9,
which does the file name canonicalization as the root user.
This is required so that guest images could not for example,
protect malicious symlinks in a directory only readable by root.

Fixes bug: 1031311, CVE-2012-3447
Change-Id: I7f7cdeeffadebae7451e1e13f73f1313a7df9c5c
---
 nova/virt/disk/api.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'nova/virt')

diff --git a/nova/virt/disk/api.py b/nova/virt/disk/api.py
index 373c4fa52..5d3c9c6c9 100644
--- a/nova/virt/disk/api.py
+++ b/nova/virt/disk/api.py
@@ -363,7 +363,9 @@ def _join_and_check_path_within_fs(fs, *args):
     mounted guest fs.  Trying to be clever and specifying a
     path with '..' in it will hit this safeguard.
     '''
-    absolute_path = os.path.realpath(os.path.join(fs, *args))
+    absolute_path, _err = utils.execute('readlink', '-nm',
+                                        os.path.join(fs, *args),
+                                        run_as_root=True)
     if not absolute_path.startswith(os.path.realpath(fs) + '/'):
         raise exception.Invalid(_('injected file path not valid'))
     return absolute_path
-- 
cgit