Thursday, 2017-01-19

« Wednesday, 2017-01-18 Index Friday, 2017-01-20 »
*** freerunner has joined #openstack-security00:03
*** dwyde has quit IRC00:17
*** hongbin has quit IRC00:18
*** browne has quit IRC00:21
*** catintheroof has joined #openstack-security00:23
*** browne has joined #openstack-security00:25
*** jamielennox|away is now known as jamielennox00:37
*** xin9972 has quit IRC00:44
*** B_Smith has quit IRC00:47
*** B_Smith has joined #openstack-security00:54
*** mdong has quit IRC01:05
*** salv-orlando has joined #openstack-security01:05
*** salv-orlando has quit IRC01:10
*** catintheroof has quit IRC01:13
*** catintheroof has joined #openstack-security01:14
*** catintheroof has quit IRC01:14
*** browne has quit IRC01:39
*** markvoelker has joined #openstack-security01:59
*** salv-orlando has joined #openstack-security02:06
*** salv-orlando has quit IRC02:11
*** knangia has quit IRC02:20
*** xin9972 has joined #openstack-security02:23
*** gouthamr_ has joined #openstack-security02:34
*** unrahul_ has joined #openstack-security02:35
*** zul has quit IRC02:40
*** gouthamr has quit IRC02:41
*** unrahul has quit IRC02:41
*** crdotson has quit IRC02:41
*** hyakuhei has quit IRC02:41
*** jamielennox has quit IRC02:41
*** unrahul_ is now known as unrahul02:43
*** gouthamr_ is now known as gouthamr02:44
*** yarkot has quit IRC02:44
*** zul has joined #openstack-security02:44
*** yarkot has joined #openstack-security02:50
*** markvoelker has quit IRC02:56
*** hyakuhei has joined #openstack-security03:01
*** markvoelker has joined #openstack-security03:10
*** diazjf has joined #openstack-security03:11
*** jamielennox|away has joined #openstack-security03:12
*** jamielennox|away is now known as jamielennox03:12
*** woodster_ has quit IRC03:15
*** B_Smith has quit IRC03:19
*** B_Smith has joined #openstack-security03:35
*** diazjf has quit IRC03:50
*** xin99721 has joined #openstack-security03:58
*** xin9972 has quit IRC04:00
*** edtubill has joined #openstack-security04:04
*** salv-orlando has joined #openstack-security04:07
*** jerrygb has quit IRC04:10
*** salv-orlando has quit IRC04:11
*** edtubill has quit IRC04:21
*** B_Smith has quit IRC04:21
*** crdotson has joined #openstack-security04:30
*** B_Smith has joined #openstack-security04:33
*** nkinder has joined #openstack-security04:42
*** elmiko is now known as _elmiko04:58
*** dikonoor has joined #openstack-security04:59
*** nkinder has quit IRC05:02
*** xin99721 has quit IRC05:02
*** jerrygb has joined #openstack-security05:10
*** jerrygb has quit IRC05:15
*** gouthamr has quit IRC06:04
*** salv-orlando has joined #openstack-security06:08
*** salv-orlando has quit IRC06:13
*** liujiong has joined #openstack-security06:16
*** B_Smith has quit IRC06:49
*** B_Smith has joined #openstack-security06:59
*** jerrygb has joined #openstack-security07:00
*** jerrygb has quit IRC07:05
*** shohel has joined #openstack-security07:53
*** salv-orlando has joined #openstack-security08:09
*** tesseract has joined #openstack-security08:13
*** salv-orlando has quit IRC08:14
*** openstackgerrit has quit IRC08:33
*** salv-orlando has joined #openstack-security09:03
*** dwyde has joined #openstack-security09:19
*** dwyde has quit IRC09:24
*** hyakuhei has quit IRC09:36
*** hyakuhei has joined #openstack-security09:36
*** hyakuhei has quit IRC09:36
*** hyakuhei has joined #openstack-security09:36
*** Serlex has joined #openstack-security09:56
*** B_Smith has quit IRC09:56
*** dwyde has joined #openstack-security10:03
*** dwyde has quit IRC10:07
*** liujiong has quit IRC10:13
*** salv-orl_ has joined #openstack-security10:23
*** B_Smith has joined #openstack-security10:24
*** salv-orlando has quit IRC10:26
*** jerrygb has joined #openstack-security10:28
*** B_Smith has quit IRC10:29
*** B_Smith has joined #openstack-security10:30
*** jerrygb has quit IRC10:33
*** dwyde has joined #openstack-security11:39
*** B_Smith has quit IRC11:40
*** salv-orl_ has quit IRC11:42
*** dwyde has quit IRC11:43
*** dwyde has joined #openstack-security12:12
*** dwyde has quit IRC12:16
*** jerrygb has joined #openstack-security12:29
*** jerrygb has quit IRC12:34
*** dwyde has joined #openstack-security12:43
*** catintheroof has joined #openstack-security12:43
*** B_Smith has joined #openstack-security12:44
*** dwyde has quit IRC12:47
*** dave-mccowan has joined #openstack-security12:48
*** strattao has joined #openstack-security13:03
*** jmckind has joined #openstack-security13:05
*** shohel1 has joined #openstack-security13:06
*** shohel has quit IRC13:09
*** gouthamr has joined #openstack-security13:12
*** jerrygb has joined #openstack-security13:13
*** dwyde has joined #openstack-security13:16
*** jmckind has quit IRC13:18
*** jmckind has joined #openstack-security13:18
*** dwyde has quit IRC13:20
*** salv-orlando has joined #openstack-security13:43
*** dwyde has joined #openstack-security13:49
*** strattao has quit IRC13:50
*** dwyde has quit IRC13:53
*** strattao has joined #openstack-security13:54
*** markvoelker has quit IRC13:57
*** markvoelker has joined #openstack-security14:01
*** _elmiko is now known as elmiko14:03
*** salv-orlando has quit IRC14:05
*** salv-orlando has joined #openstack-security14:05
*** strattao has quit IRC14:05
*** shohel1 has quit IRC14:07
*** dwyde has joined #openstack-security14:21
*** shohel has joined #openstack-security14:23
*** dwyde has quit IRC14:26
*** shohel has quit IRC14:31
*** dikonoor has quit IRC14:36
*** liverpooler has joined #openstack-security14:44
*** shohel has joined #openstack-security14:47
*** liverpooler has quit IRC14:48
*** liverpooler has joined #openstack-security14:49
*** dwyde has joined #openstack-security14:52
*** nkinder has joined #openstack-security14:53
*** dwyde has quit IRC14:57
*** salv-orlando has quit IRC15:02
raroraI was looking at Bandit issues, can anyone give me a little more detail about why B310 is an issue? It says "Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected."15:07
*** xin9972 has joined #openstack-security15:13
sigmavirusrarora: do you mean, why B310 exists (rather than why it's problematic)?15:14
rarorasigmavirus: yes15:14
sigmavirusrarora: B310 exists to alert the developer to the fact that untrusted URLs can access local files15:14
raroraI looked at some of the documentation for the library but was still a little confused15:14
sigmavirusrarora: for example, if some gives you a URL to download data from (ostensibly to store locally) and they give you a file:// URL, you might be tricked into downloading /etc/shadow15:15
raroraOh, alright. My understanding was that you would be able to get untrusted files from the web, not that the URL would be able to access files on the machine15:15
sigmavirusAnd this check exists to warn you15:15
sigmavirusIf you're not handling untrusted URLs, then you can ignore B31015:15
sigmavirusrarora: file:// is local only15:15
sigmavirusYou can use urlopen to access a local file on your machine  as long as you can read it15:16
raroraSo if it is local only how would I be downloading something?15:16
*** strattao has joined #openstack-security15:17
raroraI'm thinking of this from the perspective of me running Cinder on a machine, if a URL is file:/ I'm just a little confused about the security issue if the file is already somewhere on my machine?15:17
*** edtubill has joined #openstack-security15:19
*** strattao has quit IRC15:21
*** markvoelker_ has joined #openstack-security15:28
*** markvoelker has quit IRC15:29
*** markvoelker has joined #openstack-security15:31
rarorasigmavirus: ?15:32
*** markvoelker_ has quit IRC15:33
sigmavirusrarora: so a better OpenStack-y example is with glance15:33
sigmaviruslet's say you use glance v1 and tell it to copy-from file:///etc/shadow15:33
sigmavirusGlance (were it not careful) would copy that as image data15:33
sigmavirusThen the user could do "glance image-download <id>"15:33
sigmavirusand get that15:33
sigmavirusSo in some cases it can be used for data exfiltration15:34
sigmavirusWith Cinder, I don't think there's a way for you a user to download a volume15:34
raroraahh, I see now, okay thanks! sorry I was a bit dense :D15:34
rarorasigmavirus: yeah, I'll have to look into each case, but I don't think it will be an issue there15:35
sigmavirusrarora: no need to apologize at all!15:35
sigmavirusrarora: like I said, it's merely a warning that will get you to loko a little more closely ideally15:35
*** dikonoor has joined #openstack-security15:42
*** hongbin has joined #openstack-security15:48
*** dwyde has joined #openstack-security15:57
*** salv-orlando has joined #openstack-security16:03
*** salv-orl_ has joined #openstack-security16:24
*** salv-orlando has quit IRC16:27
*** salv-orl_ has quit IRC16:34
*** jmckind_ has joined #openstack-security16:37
*** strattao has joined #openstack-security16:38
*** jmckind has quit IRC16:39
*** strattao has quit IRC16:41
sigmavirushyakuhei: meeting in ~14 min?16:46
*** edtubill has quit IRC16:51
hyakuheisigmavirus yup :)16:56
*** salv-orlando has joined #openstack-security16:57
*** knangia has joined #openstack-security17:00
hyakuheiMeeting started over in #openstack-meeting-alt17:00
*** edtubill has joined #openstack-security17:01
*** diazjf has joined #openstack-security17:03
*** liverpooler has quit IRC17:04
*** liverpooler has joined #openstack-security17:05
*** sicarie has joined #openstack-security17:07
*** mdong has joined #openstack-security17:11
*** liverpooler has quit IRC17:12
*** liverpooler has joined #openstack-security17:12
*** dikonoor has quit IRC17:14
*** strattao has joined #openstack-security17:14
*** liverpooler has quit IRC17:16
*** liverpooler has joined #openstack-security17:17
*** shohel has quit IRC17:18
*** B_Smith has quit IRC17:31
*** strattao has quit IRC17:32
*** browne has joined #openstack-security17:37
*** Serlex has quit IRC17:39
*** B_Smith has joined #openstack-security17:44
*** salv-orlando has quit IRC17:45
*** diazjf has quit IRC17:54
*** dwyde has quit IRC17:54
*** catinthe_ has joined #openstack-security18:18
*** catintheroof has quit IRC18:18
*** dwyde has joined #openstack-security18:25
*** mdong has quit IRC18:39
*** mdong_ has joined #openstack-security18:39
*** mdong_ has quit IRC18:40
*** mdong has joined #openstack-security18:44
*** B_Smith has quit IRC18:45
*** jmckind_ has quit IRC19:02
*** jmckind has joined #openstack-security19:08
*** diazjf has joined #openstack-security19:15
*** sicarie has quit IRC19:24
*** tesseract has quit IRC19:29
*** jmckind_ has joined #openstack-security19:30
*** jmckind has quit IRC19:32
*** strattao has joined #openstack-security19:35
*** nkinder has quit IRC19:39
*** B_Smith has joined #openstack-security19:42
*** dave-mccowan has quit IRC20:08
*** dave-mccowan has joined #openstack-security20:09
*** salv-orlando has joined #openstack-security20:11
*** jmckind has joined #openstack-security20:17
*** jmckind_ has quit IRC20:19
*** openstackgerrit has joined #openstack-security20:24
openstackgerritPhilip Jones proposed openstack/bandit: Alter SQL injection plugin to consider .format strings  https://review.openstack.org/41769520:24
*** strattao has quit IRC20:28
*** jmckind_ has joined #openstack-security20:29
*** jmckind has quit IRC20:30
*** jmckind_ has quit IRC20:33
*** jmckind has joined #openstack-security20:39
*** browne has quit IRC20:47
*** diazjf has quit IRC20:47
*** diazjf has joined #openstack-security20:49
*** browne has joined #openstack-security20:49
*** mdong has quit IRC20:56
*** mdong has joined #openstack-security20:56
*** pablo|500| has quit IRC20:57
*** salv-orlando has quit IRC20:57
*** woodster_ has joined #openstack-security21:30
*** salv-orlando has joined #openstack-security21:36
*** diazjf has quit IRC21:57
*** jmckind has quit IRC22:02
*** dave-mccowan has quit IRC22:08
*** salv-orl_ has joined #openstack-security22:24
*** salv-orlando has quit IRC22:27
*** gouthamr has quit IRC22:45
*** gouthamr has joined #openstack-security23:02
*** edtubill has quit IRC23:22
*** elmiko is now known as _elmiko23:25
« Wednesday, 2017-01-18 Index Friday, 2017-01-20 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!