Project

Profile

Help

Issue #3424

closed

FileContent relative_path is not validated

Added by daviddavis about 6 years ago. Updated about 2 years ago.

Status:
CLOSED - DUPLICATE
Priority:
Normal
Assignee:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Platform Release:
OS:
Triaged:
Yes
Groomed:
Yes
Sprint Candidate:
Tags:
Sprint:
Quarter:

Description

Ticket moved to GitHub: "pulp/pulp_file/607":https://github.com/pulp/pulp_file/issues/607


The relative_path field on file content units is not validated. This can be problematic when publishing the content. For instance, if the path contains a comma, the PULP_MANIFEST doesn't do any escaping.

Also, I was able to create a file content unit with path PULP_MANIFEST which was then served instead of the actual PULP_MANIFEST.

Relevant code for Manifest:

https://github.com/pulp/pulp_file/blob/master/pulp_file/app/tasks/publishing.py#L94
https://github.com/pulp/pulp_file/blob/master/pulp_file/manifest.py#L46-L57

Actions #1

Updated by daviddavis about 6 years ago

  • Subject changed from Content unit path is not validated to ContentArtifact relative_path is not validated
  • Description updated (diff)
Actions #2

Updated by daviddavis about 6 years ago

  • Project changed from File Support to Pulp
Actions #3

Updated by daviddavis about 6 years ago

  • Description updated (diff)
Actions #4

Updated by daviddavis about 6 years ago

  • Project changed from Pulp to File Support
  • Subject changed from ContentArtifact relative_path is not validated to FileContent relative_path is not validated
  • Description updated (diff)
Actions #5

Updated by dalley about 6 years ago

  • Sprint/Milestone set to 56
  • Triaged changed from No to Yes
Actions #6

Updated by bmbouter about 6 years ago

  • Sprint set to Sprint 33
Actions #7

Updated by bmbouter about 6 years ago

  • Sprint/Milestone deleted (56)
Actions #8

Updated by jortel@redhat.com about 6 years ago

  • Sprint Candidate changed from No to Yes
Actions #9

Updated by jortel@redhat.com about 6 years ago

  • Sprint deleted (Sprint 33)
Actions #10

Updated by daviddavis about 6 years ago

  • Groomed changed from No to Yes
Actions #11

Updated by daviddavis almost 6 years ago

  • Sprint Candidate deleted (Yes)
Actions #12

Updated by pulpbot about 2 years ago

  • Description updated (diff)
  • Status changed from NEW to CLOSED - DUPLICATE

Also available in: Atom PDF