Actions
Issue #3424
closed
FileContent relative_path is not validated
Status:
CLOSED - DUPLICATE
Priority:
Normal
Assignee:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Platform Release:
OS:
Triaged:
Yes
Groomed:
Yes
Sprint Candidate:
Tags:
Sprint:
Quarter:
Description
Ticket moved to GitHub: "pulp/pulp_file/607":https://github.com/pulp/pulp_file/issues/607
The relative_path field on file content units is not validated. This can be problematic when publishing the content. For instance, if the path contains a comma, the PULP_MANIFEST doesn't do any escaping.
Also, I was able to create a file content unit with path PULP_MANIFEST which was then served instead of the actual PULP_MANIFEST.
Relevant code for Manifest:
https://github.com/pulp/pulp_file/blob/master/pulp_file/app/tasks/publishing.py#L94
https://github.com/pulp/pulp_file/blob/master/pulp_file/manifest.py#L46-L57
Actions
.