GitHub user nnesic opened a pull request:
https://github.com/apache/cloudstack/pull/1006
Fixed user_vm_view to only display keypairs belonging to the account.
The user_vm_view displayes the keypair information by joining vm_details
with ssh_keypairs on the key value exclusively.
We found a scenario in which this can cause information leakage. If there
are two accounts using the same key, but create a different key name for it,
and then a vm is created using one of the keys, the view will list both
keypairs as belonging to the vm, which can in turn cause confusion to the users
who see a keypair name which they did not create.
The fix simply limits the view to displaying keypairs which belong to vm's
account.
I added it to the latest schema migration only; should I also include it in
the previous ones?
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/greenqloud/cloudstack user_vm_keypairs_fix
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/cloudstack/pull/1006.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #1006
----
commit aae47af5c1798dd480144bc38425251307838a62
Author: nnesic <n...@greenqloud.com>
Date: 2015-10-29T12:18:17Z
Fixed user_vm_view to only display keypairs belonging to the account.
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
