From c5d76cdd2e2e99d4ac65b645b17cf8a43e4ccab4 Mon Sep 17 00:00:00 2001 From: Prashanth Pai Date: Tue, 8 Sep 2015 15:44:09 +0530 Subject: Do not use pickle: Use json Change-Id: Iffdd56704330897fbde21f101c9b2ed03c2ae296 Signed-off-by: Prashanth Pai Reviewed-by: Thiago da Silva Tested-by: Thiago da Silva Reviewed-on: http://review.gluster.org/13221 --- etc/fs.conf-gluster | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) (limited to 'etc/fs.conf-gluster') diff --git a/etc/fs.conf-gluster b/etc/fs.conf-gluster index 6d2a791..31a5e6f 100644 --- a/etc/fs.conf-gluster +++ b/etc/fs.conf-gluster @@ -10,4 +10,15 @@ mount_ip = localhost # numbers of objects, at the expense of an accurate count of combined bytes # used by all objects in the container. For most installations "off" works # fine. -accurate_size_in_listing = off \ No newline at end of file +accurate_size_in_listing = off + +# In older versions of gluster-swift, metadata stored as xattrs of dirs/files +# were serialized using PICKLE format. The PICKLE format is vulnerable to +# exploits in deployments where a user has access to backend filesystem over +# FUSE/SMB. Deserializing pickled metadata can result in malicious code being +# executed if an attacker has stored malicious code as xattr from filesystem +# interface. Although, new metadata is always serialized using JSON format, +# existing metadata already stored in PICKLE format are loaded by default. +# You can turn this option to 'off' once you have migrated all your metadata +# from PICKLE format to JSON format using gluster-swift-migrate-metadata tool. +read_pickled_metadata = on -- cgit