Actions
Issue #9660
closeddjango update broke pulpimport filestorage-usage
Start date:
Due date:
Estimated time:
Severity:
3. High
Version:
Platform Release:
OS:
Triaged:
No
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Quarter:
Description
Ticket moved to GitHub: "pulp/pulpcore/2091":https://github.com/pulp/pulpcore/issues/2091
Django addressed a security issue involving filepaths in a way that broke how pulpimport was using Storage:
In 3.14, the following failure in pulp_rpm.tests.functional.api.test_pulpimport.ParallelImportTestCase testMethod=test_clean_import
:
E pulp_smash.pulp3.bindings.PulpTaskError: (PulpTaskError(...), "Pulp task failed (Detected path traversal attempt in '/var/lib/pulp/media/artifact/d4/89a5ea552e5ea595976e39f891fe249e95d8eb40cbd7f50a46c0126a7072ab')")
Against core/main, the same test hangs.
The problem is that core/import builds a full-path to send to Storage.save(), which used to "work" but is now Not Allowed (for perfectly good security-reasons)
See https://github.com/pulp/pulpcore/blob/main/pulpcore/app/tasks/importer.py#L396
Related issues
Updated by pulpbot almost 3 years ago
- Status changed from ASSIGNED to POST
Added by ggainey almost 3 years ago
Updated by ggainey almost 3 years ago
- Status changed from POST to MODIFIED
Applied in changeset pulpcore|ba1b9fa22ff59d63093560c3d03e26b7c0d6973c.
Updated by ttereshc almost 3 years ago
- Copied to Backport #9662: Backport #9660 "django update broke pulpimport filestorage-usage" to 3.14.z added
Updated by ttereshc almost 3 years ago
- Copied to Backport #9663: Backport #9660 "django update broke pulpimport filestorage-usage" to 3.16.z added
Updated by ttereshc almost 3 years ago
- Copied to Backport #9664: Backport #9660 "django update broke pulpimport filestorage-usage" to 3.17.z added
Updated by fao89 over 2 years ago
- Description updated (diff)
- Status changed from MODIFIED to CLOSED - DUPLICATE
Actions
Fixes PulpImport in the presence of Django path-traversal CVE fix.
Fixes #9660. [nocoverage]