@Erno: I am fine with holding this if you think we can have a resolution before 19 December, I guess. My concern is that this is an obvious attack vector -- all the code is available, and anyone scanning the config file sees "GRAVE SECURITY RISK" associated with the settings for show_multiple_locations and show_image_direct_url, and would be inclined to investigate and see what damage you can do with those. We've already mentioned in release notes the desirability of only exposing locations on an internal-only-facing glance-api, so the contents of this bug are pretty much already "out there", and it would be good to make sure operators are as aware of it as malicious actors are.
I'm not clear on what holding this gets us. The COW glance configuration is popular for space and time optimization, and I'm not sure what operators will accept. I really don't see the point of computing missing hash values if they're not being checked at the point of image data consumption, and that's exactly what operators don't want.
Anyway, let's continue to discuss this, being specific about the glance-side changes that would mitigate this. If we can fix and backport a good solution, I'm all for keeping this private while we get that done, though I really don't see the point of the privacy, because I think the exploit is already known.
@Erno: I am fine with holding this if you think we can have a resolution before 19 December, I guess. My concern is that this is an obvious attack vector -- all the code is available, and anyone scanning the config file sees "GRAVE SECURITY RISK" associated with the settings for show_multiple_ locations and show_image_ direct_ url, and would be inclined to investigate and see what damage you can do with those. We've already mentioned in release notes the desirability of only exposing locations on an internal- only-facing glance-api, so the contents of this bug are pretty much already "out there", and it would be good to make sure operators are as aware of it as malicious actors are.
I'm not clear on what holding this gets us. The COW glance configuration is popular for space and time optimization, and I'm not sure what operators will accept. I really don't see the point of computing missing hash values if they're not being checked at the point of image data consumption, and that's exactly what operators don't want.
Anyway, let's continue to discuss this, being specific about the glance-side changes that would mitigate this. If we can fix and backport a good solution, I'm all for keeping this private while we get that done, though I really don't see the point of the privacy, because I think the exploit is already known.