Do not return location in headers
In some cases credentials were being leaked when downloading a cached v1 image. Fixes bug 1135541, CVE-2013-1840 Change-Id: I3ec0a8f484fe1bdc32c3c56fce810fcef347a7f6
This commit is contained in:
parent
04f88c8d56
commit
dd849a9be5
|
@ -111,6 +111,9 @@ class CacheFilter(wsgi.Middleware):
|
|||
|
||||
def _process_v1_request(self, request, image_id, image_iterator):
|
||||
image_meta = registry.get_image_metadata(request.context, image_id)
|
||||
# Don't display location
|
||||
if 'location' in image_meta:
|
||||
del image_meta['location']
|
||||
|
||||
if not image_meta['size']:
|
||||
# override image size metadata with the actual cached
|
||||
|
|
Loading…
Reference in New Issue