Project

Profile

Help

Maintenance: Planio will be observing a scheduled maintenance window this Tuesday, November 5, 2024 from 03:00 UTC until 06:30 UTC to perform urgent network maintenance in our primary data center. Your Planio account will be unavailable during this maintenance window.

Backport #9662

closed

Backport #9660 "django update broke pulpimport filestorage-usage" to 3.14.z

Added by ttereshc almost 3 years ago. Updated almost 3 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
Start date:
Due date:
% Done:

100%

Estimated time:
Triaged:
No
Sprint Candidate:
No
Tags:
Katello
Sprint:
Sprint 111
Quarter:

Description

Django addressed a security issue involving filepaths in a way that broke how pulpimport was using Storage:

In 3.14, the following failure in pulp_rpm.tests.functional.api.test_pulpimport.ParallelImportTestCase testMethod=test_clean_import :

E pulp_smash.pulp3.bindings.PulpTaskError: (PulpTaskError(...), "Pulp task failed (Detected path traversal attempt in '/var/lib/pulp/media/artifact/d4/89a5ea552e5ea595976e39f891fe249e95d8eb40cbd7f50a46c0126a7072ab')")

Against core/main, the same test hangs.

The problem is that core/import builds a full-path to send to Storage.save(), which used to "work" but is now Not Allowed (for perfectly good security-reasons)

See https://github.com/pulp/pulpcore/blob/main/pulpcore/app/tasks/importer.py#L396


Related issues

Copied from Pulp - Issue #9660: django update broke pulpimport filestorage-usageCLOSED - DUPLICATEggaineyActions
Actions #1

Updated by ttereshc almost 3 years ago

  • Copied from Issue #9660: django update broke pulpimport filestorage-usage added
Actions #2

Updated by pulpbot almost 3 years ago

  • Status changed from NEW to POST
Actions #3

Updated by ttereshc almost 3 years ago

  • Sprint/Milestone set to 3.14.10

Added by ttereshc almost 3 years ago

Revision 8cc8d889 | View on GitHub

backports PulpImport in the presence of Django path-traversal CVE fix.

backports #9660. [nocoverage]

fixes #9662

(cherry picked from commit ba1b9fa22ff59d63093560c3d03e26b7c0d6973c)

Actions #4

Updated by ttereshc almost 3 years ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100
Actions #5

Updated by pulpbot almost 3 years ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE

Also available in: Atom PDF