Project

Profile

Help

Issue #3424

FileContent relative_path is not validated

Added by daviddavis over 2 years ago. Updated over 2 years ago.

Status:
NEW
Priority:
Normal
Assignee:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Platform Release:
OS:
Triaged:
Yes
Groomed:
Yes
Sprint Candidate:
Tags:
Sprint:

Description

The relative_path field on file content units is not validated. This can be problematic when publishing the content. For instance, if the path contains a comma, the PULP_MANIFEST doesn't do any escaping.

Also, I was able to create a file content unit with path PULP_MANIFEST which was then served instead of the actual PULP_MANIFEST.

Relevant code for Manifest:

https://github.com/pulp/pulp_file/blob/master/pulp_file/app/tasks/publishing.py#L94
https://github.com/pulp/pulp_file/blob/master/pulp_file/manifest.py#L46-L57

History

#1 Updated by daviddavis over 2 years ago

  • Subject changed from Content unit path is not validated to ContentArtifact relative_path is not validated
  • Description updated (diff)

#2 Updated by daviddavis over 2 years ago

  • Project changed from File Support to Pulp

#3 Updated by daviddavis over 2 years ago

  • Description updated (diff)

#4 Updated by daviddavis over 2 years ago

  • Project changed from Pulp to File Support
  • Subject changed from ContentArtifact relative_path is not validated to FileContent relative_path is not validated
  • Description updated (diff)

#5 Updated by dalley over 2 years ago

  • Sprint/Milestone set to 56
  • Triaged changed from No to Yes

#6 Updated by bmbouter over 2 years ago

  • Sprint set to Sprint 33

#7 Updated by bmbouter over 2 years ago

  • Sprint/Milestone deleted (56)

#8 Updated by jortel@redhat.com over 2 years ago

  • Sprint Candidate changed from No to Yes

#9 Updated by jortel@redhat.com over 2 years ago

  • Sprint deleted (Sprint 33)

#10 Updated by daviddavis over 2 years ago

  • Groomed changed from No to Yes

#11 Updated by daviddavis over 2 years ago

  • Sprint Candidate deleted (Yes)

Please register to edit this issue

Also available in: Atom PDF