Do not return location in headers

In some cases credentials were being leaked when downloading a cached
v1 image.

Fixes bug 1135541, CVE-2013-1840

Change-Id: Ib16ad40d3ea1c642384053be54ce029c386d7ea6
This commit is contained in:
Stuart McLaren 2013-03-14 14:22:00 +00:00
parent 37d4d96bf8
commit 74b067df97
1 changed files with 3 additions and 0 deletions

View File

@ -79,6 +79,9 @@ class CacheFilter(wsgi.Middleware):
context = request.context
try:
image_meta = registry.get_image_metadata(context, image_id)
# Don't display location
if 'location' in image_meta:
del image_meta['location']
if not image_meta['size']:
# override image size metadata with the actual cached