Actions
Issue #6402
closed
secret fields on Remote objects can cause mutation of data
Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Sprint 69
Quarter:
Description
When using the bindings, if you take the FileRemote object returned by the read() or create() method and pass it to the update() method, the client_cert field gets updated to a new value. This will be true for any SecretCharField.
(Pdb) file_remote
{'ca_cert': None,
'client_cert': 'b3226466e6d9c43c7058f69e1ff41daaf688cd223c084faa3e28202813ecff28',
'client_key': None,
'download_concurrency': 20,
'name': 'bar25',
'policy': 'immediate',
'proxy_url': None,
'pulp_created': datetime.datetime(2020, 3, 25, 17, 9, 13, 631685, tzinfo=tzlocal()),
'pulp_href': '/pulp/api/v3/remotes/file/file/e42eea0d-e583-45ce-bdca-342169385cb2/',
'pulp_last_updated': datetime.datetime(2020, 3, 25, 17, 9, 13, 631703, tzinfo=tzlocal()),
'tls_validation': True,
'url': 'https://repos.fedorapeople.org/pulp/pulp/demo_repos/test_file_repo/PULP_MANIFEST'}
(Pdb) fileremotes.update(file_remote.pulp_href, file_remote)
{'task': '/pulp/api/v3/tasks/ec6a2bb6-4ce4-4a0e-ab1c-62d37aecfd27/'}
(Pdb) file_updated_remote = fileremotes.read(file_remote.pulp_href)
(Pdb) file_updated_remote
{'ca_cert': None,
'client_cert': '7fc2a6b69d81c4581eac98454217b173a8b23256eefad0bb9eaabe199d8baae8',
'client_key': None,
'download_concurrency': 20,
'name': 'bar25',
'policy': 'immediate',
'proxy_url': None,
'pulp_created': datetime.datetime(2020, 3, 25, 17, 9, 13, 631685, tzinfo=tzlocal()),
'pulp_href': '/pulp/api/v3/remotes/file/file/e42eea0d-e583-45ce-bdca-342169385cb2/',
'pulp_last_updated': datetime.datetime(2020, 3, 25, 17, 10, 37, 747011, tzinfo=tzlocal()),
'tls_validation': True,
'url': 'https://repos.fedorapeople.org/pulp/pulp/demo_repos/test_file_repo/PULP_MANIFEST'}
Updated by pulpbot about 4 years ago
- Status changed from ASSIGNED to POST
Added by dkliban@redhat.com about 4 years ago
Updated by dkliban@redhat.com about 4 years ago
- Status changed from POST to MODIFIED
Applied in changeset pulpcore|e22b3725c6ac51e5ef29a107b2012459c36d6dab.
Added by dkliban@redhat.com about 4 years ago
Revision a7da2e1d | View on GitHub
Ignores secret fields if the incoming value is the sha256 checksum of current value
fixes: #6402 https://pulp.plan.io/issues/6402 (cherry picked from commit e22b3725c6ac51e5ef29a107b2012459c36d6dab)
Updated by dkliban@redhat.com about 4 years ago
Applied in changeset pulpcore|a7da2e1d3a7997e79c8d0eeb535eb8efefd172b5.
Updated by ttereshc about 4 years ago
- Status changed from MODIFIED to CLOSED - CURRENTRELEASE
- Sprint/Milestone set to 3.3.0
Actions
.
Ignores secret fields if the incoming value is the sha256 checksum of current value
fixes: #6402 https://pulp.plan.io/issues/6402