heat/common at 055b8ce88490bab0905b28d956f9ce41dc79eeba - heat - OpenDev: Free Software Needs Free Tools

History

Daniel Gonzalez eab9a33ce7 Prevent template validate from scanning ports The template validation method in the heat API allows to specify the template to validate using a URL with the 'template_url' parameter. By entering invalid http URLs, like 'http://localhost:22' it is possible to scan ports by evaluating the error message of the request. For example, the request curl -H "Content-Type: application/json" -H "X-Auth-Token: <TOKEN>" \ -X POST -d '{"template_url": "http://localhost:22"}' \ http://127.0.0.1:8004/v1/<TENANT_ID>/validate causes the following error message to be returned to the user: "Could not retrieve template: Failed to retrieve template: ('Connection aborted.', BadStatusLine('SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1\\r\\n',))" This could be misused by tenants to gain knowledge about the internal network the heat API runs in. To prevent this information leak, this patch alters the error message to not include such details when the url scheme is not 'file'. SecurityImpact Closes-Bug: #1606500 Change-Id: Id1f86f41c1e6c028d889eca7ccbb9cde67631950		2016-10-18 16:43:24 +02:00
..
__init__.py	Empty files shouldn't contain copyright nor license	2013-12-24 20:29:31 +08:00
auth_password.py	Sync context with oslo.context	2016-06-17 11:46:00 +10:00
auth_url.py	Make auth_url lookup dynamic	2016-03-04 17:35:52 +01:00
cache.py	Use caching for resource name/id finders	2016-02-18 17:52:03 +05:30
config.py	Make nova server user_data format configurable	2016-10-03 09:34:11 +00:00
context.py	Merge "Use to_policy_values from context for policy"	2016-07-15 05:57:59 +00:00
crypt.py	Fix [H405] pep rule in heat/common	2015-10-08 15:13:52 +03:00
custom_backend_auth.py	Fix some inconsistency in docstrings	2015-12-29 01:40:42 +08:00
endpoint_utils.py	Use keystone session in endpoint_utils	2016-09-06 09:48:59 +05:30
environment_format.py	Add new environment section for merge strategies	2016-08-19 08:54:30 +05:30
environment_util.py	Use param_schema and merge strategy for merging	2016-08-22 17:35:54 +05:30
exception.py	Use save_and_reraise_exception() in HeatException	2016-09-22 17:53:57 -04:00
grouputils.py	InstanceGroup to keep FAILED resources in template	2016-01-21 22:22:31 -05:00
i18n.py	Fix unfortunate spelling error	2016-04-04 12:43:16 -04:00
identifier.py	Fix [H405] pep rule in heat/common	2015-10-08 15:13:52 +03:00
lifecycle_plugin_utils.py	Fix [H405] pep rule in heat/common	2015-10-08 15:13:52 +03:00
messaging.py	Use messaging notifications transport instead of default	2016-04-14 12:19:07 +03:00
netutils.py	Add dns constraints	2016-07-26 10:01:06 +05:30
param_utils.py	Convert props form delimited params to lists	2016-08-26 17:43:33 +05:30
plugin_loader.py	Update the rest of the code to satisfy flake8 in a py34 env	2015-04-24 11:53:43 +05:30
pluginutils.py	Log missing clients as WARNING instead of ERROR	2016-08-16 16:27:55 -05:00
policy.py	Use to_policy_values from context for policy	2016-07-12 13:42:00 +10:00
profiler.py	Use OSprofiler options consolidated in lib itself	2016-02-03 18:25:36 -08:00
serializers.py	Fix [H405] pep rule in heat/common	2015-10-08 15:13:52 +03:00
service_utils.py	Move some functions to service_utils	2016-06-01 03:57:04 +00:00
short_id.py	Some lambda were replaced on def	2015-09-23 11:35:29 +01:00
template_format.py	Parse JSON as JSON when converting to YAML	2016-08-16 17:44:36 -04:00
timeutils.py	Restore timezone information in API response	2016-09-07 23:29:50 +02:00
urlfetch.py	Prevent template validate from scanning ports	2016-10-18 16:43:24 +02:00
wsgi.py	Using oslo_config's min attribute in heat	2016-08-24 05:36:47 +00:00