admins can see deleted images in v2 api

Bug #1071446 reported by Mark Washenberger
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Glance
Fix Released
Medium
Mark Washenberger
Folsom
Fix Released
Medium
Brian Waldon
Grizzly
Fix Released
Medium
Mark Washenberger
glance (Ubuntu)
Fix Released
Undecided
Unassigned
Quantal
Fix Released
Undecided
Unassigned

Bug Description

No one, including admins, should be able to show, list, or modify deleted images in glance v2 api.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to glance (master)

Fix proposed to branch: master
Review: https://review.openstack.org/14841

Changed in glance:
assignee: nobody → Mark Washenberger (markwash)
status: New → In Progress
Changed in glance:
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to glance (master)

Reviewed: https://review.openstack.org/14841
Committed: http://github.com/openstack/glance/commit/57b8817bb699628c60636479f2cfb36b7d2a7bca
Submitter: Jenkins
Branch: master

commit 57b8817bb699628c60636479f2cfb36b7d2a7bca
Author: Mark Washenberger <email address hidden>
Date: Thu Oct 25 19:46:10 2012 +0000

    Return HTTP 404 for deleted images in v2

    For admin contexts, the db api will return deleted images. This patch
    manually checks for deleted images in the v2 controller code to treat
    these cases as if the images didn't exist.

    Fixes bug 1071446

    Change-Id: I33075f94e9d560a279085e2afd18c8052f57d60b

Changed in glance:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to glance (stable/folsom)

Fix proposed to branch: stable/folsom
Review: https://review.openstack.org/15148

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to glance (stable/folsom)

Reviewed: https://review.openstack.org/15148
Committed: http://github.com/openstack/glance/commit/26c80856620f2ac3a662028eb3d53c3196b66a82
Submitter: Jenkins
Branch: stable/folsom

commit 26c80856620f2ac3a662028eb3d53c3196b66a82
Author: Mark Washenberger <email address hidden>
Date: Thu Oct 25 19:46:10 2012 +0000

    Return HTTP 404 for deleted images in v2

    For admin contexts, the db api will return deleted images. This patch
    manually checks for deleted images in the v2 controller code to treat
    these cases as if the images didn't exist.

    Fixes bug 1071446

    Change-Id: I33075f94e9d560a279085e2afd18c8052f57d60b

Thierry Carrez (ttx)
Changed in glance:
milestone: none → grizzly-1
status: Fix Committed → Fix Released
Changed in glance (Ubuntu):
status: New → Fix Released
Changed in glance (Ubuntu Quantal):
status: New → Confirmed
Revision history for this message
Clint Byrum (clint-fewbar) wrote : Please test proposed package

Hello Mark, or anyone else affected,

Accepted glance into quantal-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/glance/2012.2.1-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in glance (Ubuntu Quantal):
status: Confirmed → Fix Committed
tags: added: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package glance - 2012.2.1-0ubuntu1

---------------
glance (2012.2.1-0ubuntu1) quantal-proposed; urgency=low

  * Dropped patches, applied upstream:
    - debian/patches/CVE-2012-4573.patch
    - debian/patches/CVE-2012-4573b.patch
  * Resynchronize with stable/folsom (199783ce) (LP: #1085255):
    - [49408e9] Glance image-delete HTTPInternalServerError HTTP 500
      (LP: #1075580)
    - [91aaa48] Image fails to upload to swift: TypeError: object of type
      'CooperativeReader' has no len( (LP: #1057322)
    - [a296a5b] Return 403 when admin deletes a deleted image (LP: #1060944)
    - [3e58a6a] Disallow updating deleted images. (LP: #1060930)
    - [26c8085] admins can see deleted images in v2 api (LP: #1071446)
    - [8321ca6] No exclude option to skip tests in run_tests.sh (LP: #1065758)
    - [c3bea11] Badly named stable/folsom Glance tarballs (LP: #1059634)
    - [fc0ee76] Non-admin users can cause public glance images to be deleted
      from the backend storage repository in the v2 api (LP: #1076506)
    - [90bcdc5] Non-admin users can cause public glance images to be deleted
      from the backend storage repository (LP: #1065187)
    - [7841cc9] FakeAuth not always admin
    - [ddad275] Jenkins jobs fail because of incompatibility between sqlalchemy-
      migrate and the newest sqlalchemy-0.8.0b1 (LP: #1073569)
    - [1d5c651] nosetest options cause no such option errors (LP: #1056420)
    - [ac223e2] Set defaultbranch in .gitreview to stable/folsom
 -- Adam Gandelman <email address hidden> Tue, 04 Dec 2012 09:19:35 -0800

Changed in glance (Ubuntu Quantal):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.