Do not return location in headers

In some cases credentials were being leaked when downloading a cached v1 image. Fixes bug 1135541, CVE-2013-1840 Change-Id: I3ec0a8f484fe1bdc32c3c56fce810fcef347a7f6
2013-03-14 13:43:36 +00:00 · 2013-03-14 13:43:36 +00:00 · dd849a9be5
parent 04f88c8d56
commit dd849a9be5
1 changed files with 3 additions and 0 deletions
--- a/glance/api/middleware/cache.py
+++ b/glance/api/middleware/cache.py
@ -111,6 +111,9 @@ class CacheFilter(wsgi.Middleware):

    def _process_v1_request(self, request, image_id, image_iterator):
        image_meta = registry.get_image_metadata(request.context, image_id)
+        # Don't display location
+        if 'location' in image_meta:
+            del image_meta['location']

        if not image_meta['size']:
            # override image size metadata with the actual cached