Project

Profile

Help

Issue #9660

closed

django update broke pulpimport filestorage-usage

Added by ggainey 5 months ago. Updated 4 months ago.

Status:
CLOSED - DUPLICATE
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
3. High
Version:
Platform Release:
OS:
Triaged:
No
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Quarter:

Description

Ticket moved to GitHub: "pulp/pulpcore/2091":https://github.com/pulp/pulpcore/issues/2091


Django addressed a security issue involving filepaths in a way that broke how pulpimport was using Storage:

In 3.14, the following failure in pulp_rpm.tests.functional.api.test_pulpimport.ParallelImportTestCase testMethod=test_clean_import :

E pulp_smash.pulp3.bindings.PulpTaskError: (PulpTaskError(...), "Pulp task failed (Detected path traversal attempt in '/var/lib/pulp/media/artifact/d4/89a5ea552e5ea595976e39f891fe249e95d8eb40cbd7f50a46c0126a7072ab')")

Against core/main, the same test hangs.

The problem is that core/import builds a full-path to send to Storage.save(), which used to "work" but is now Not Allowed (for perfectly good security-reasons)

See https://github.com/pulp/pulpcore/blob/main/pulpcore/app/tasks/importer.py#L396


Related issues

Copied to Pulp - Backport #9662: Backport #9660 "django update broke pulpimport filestorage-usage" to 3.14.zCLOSED - CURRENTRELEASEttereshc

Actions
Copied to Pulp - Backport #9663: Backport #9660 "django update broke pulpimport filestorage-usage" to 3.16.zCLOSED - CURRENTRELEASEttereshc

Actions
Copied to Pulp - Backport #9664: Backport #9660 "django update broke pulpimport filestorage-usage" to 3.17.zCLOSED - CURRENTRELEASEttereshc

Actions
Actions #1

Updated by pulpbot 5 months ago

  • Status changed from ASSIGNED to POST

Added by ggainey 5 months ago

Revision ba1b9fa2

Fixes PulpImport in the presence of Django path-traversal CVE fix.

Fixes #9660. [nocoverage]

Actions #2

Updated by ggainey 5 months ago

  • Status changed from POST to MODIFIED
Actions #3

Updated by ttereshc 5 months ago

  • Copied to Backport #9662: Backport #9660 "django update broke pulpimport filestorage-usage" to 3.14.z added
Actions #4

Updated by ttereshc 5 months ago

  • Copied to Backport #9663: Backport #9660 "django update broke pulpimport filestorage-usage" to 3.16.z added
Actions #5

Updated by ttereshc 5 months ago

  • Copied to Backport #9664: Backport #9660 "django update broke pulpimport filestorage-usage" to 3.17.z added
Actions #6

Updated by fao89 4 months ago

  • Description updated (diff)
  • Status changed from MODIFIED to CLOSED - DUPLICATE

Also available in: Atom PDF