cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From nnesic <...@git.apache.org>
Subject [GitHub] cloudstack pull request: Fixed user_vm_view to only display keypai...
Date Thu, 29 Oct 2015 13:11:10 GMT
GitHub user nnesic opened a pull request:

    https://github.com/apache/cloudstack/pull/1006

    Fixed user_vm_view to only display keypairs belonging to the account.

    The user_vm_view displayes the keypair information by joining vm_details with ssh_keypairs
on the key value exclusively. 
    
    We found a scenario in which this can cause information leakage. If there are two accounts
using the same key, but create a different key name for it, and then a vm is created using
one of the keys, the view will list both keypairs as belonging to the vm, which can in turn
cause confusion to the users who see a keypair name which they did not create. 
    
    The fix simply limits the view to displaying keypairs which belong to vm's account. 
    
    I added it to the latest schema migration only; should I also include it in the previous
ones? 

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/greenqloud/cloudstack user_vm_keypairs_fix

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/cloudstack/pull/1006.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #1006
    
----
commit aae47af5c1798dd480144bc38425251307838a62
Author: nnesic <nera@greenqloud.com>
Date:   2015-10-29T12:18:17Z

    Fixed user_vm_view to only display keypairs belonging to the account.

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

Mime
View raw message