[jira] [Commented] (CLOUDSTACK-1327) Cloudstack allows users to import huge templates from unauthorised URLs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-1327?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13671231#comment-13671231 ] Nux commented on CLOUDSTACK-1327: - At the time of the testing I do not remember having modified max.template.iso.size, so the default must have been active. The template I used was a sparse qcow2 file of less than 50GB, but with a virtual size of 1 TB. Does Cloudstack check the virtual size? Cloudstack allows users to import huge templates from unauthorised URLs --- Key: CLOUDSTACK-1327 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-1327 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: Management Server, Template Affects Versions: 4.0.1 Environment: Centos 6 x86_64 kvm hypervisors Reporter: Nux Priority: Critical Because Cloudstack deploys instances as r/w snapshots of the template, importing a template with, say 1 TB diskspace will give you 1 TB instances... this will lead to service abuse. Currently Cloudstack allows regular users to install templates from not allowed URLs. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CLOUDSTACK-1327) Cloudstack allows users to import huge templates from unauthorised URLs
[ https://issues.apache.org/jira/browse/CLOUDSTACK-1327?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13670863#comment-13670863 ] Alena Prokharchyk commented on CLOUDSTACK-1327: --- The max template size that can be downloaded by the regular user, is limited via max.template.iso.size global config parameter (The maximum size for a downloaded template or ISO (in GB)). Default value is 50GB. Cloudstack allows users to import huge templates from unauthorised URLs --- Key: CLOUDSTACK-1327 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-1327 Project: CloudStack Issue Type: Bug Security Level: Public(Anyone can view this level - this is the default.) Components: Management Server, Template Affects Versions: 4.0.1 Environment: Centos 6 x86_64 kvm hypervisors Reporter: Nux Priority: Critical Because Cloudstack deploys instances as r/w snapshots of the template, importing a template with, say 1 TB diskspace will give you 1 TB instances... this will lead to service abuse. Currently Cloudstack allows regular users to install templates from not allowed URLs. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira