Actions
Backport #9662
closedBackport #9660 "django update broke pulpimport filestorage-usage" to 3.14.z
Start date:
Due date:
% Done:
100%
Estimated time:
Triaged:
No
Sprint Candidate:
No
Tags:
Katello
Sprint:
Sprint 111
Quarter:
Description
Django addressed a security issue involving filepaths in a way that broke how pulpimport was using Storage:
In 3.14, the following failure in pulp_rpm.tests.functional.api.test_pulpimport.ParallelImportTestCase testMethod=test_clean_import
:
E pulp_smash.pulp3.bindings.PulpTaskError: (PulpTaskError(...), "Pulp task failed (Detected path traversal attempt in '/var/lib/pulp/media/artifact/d4/89a5ea552e5ea595976e39f891fe249e95d8eb40cbd7f50a46c0126a7072ab')")
Against core/main, the same test hangs.
The problem is that core/import builds a full-path to send to Storage.save(), which used to "work" but is now Not Allowed (for perfectly good security-reasons)
See https://github.com/pulp/pulpcore/blob/main/pulpcore/app/tasks/importer.py#L396
Related issues
Updated by ttereshc almost 3 years ago
- Copied from Issue #9660: django update broke pulpimport filestorage-usage added
Updated by pulpbot almost 3 years ago
- Status changed from NEW to POST
Added by ttereshc almost 3 years ago
Updated by ttereshc almost 3 years ago
- Status changed from POST to MODIFIED
- % Done changed from 0 to 100
Applied in changeset pulpcore|8cc8d889076a9700e8d7adebe40b8fc986ad1e85.
Updated by pulpbot almost 3 years ago
- Status changed from MODIFIED to CLOSED - CURRENTRELEASE
Actions
backports PulpImport in the presence of Django path-traversal CVE fix.
backports #9660. [nocoverage]
fixes #9662
(cherry picked from commit ba1b9fa22ff59d63093560c3d03e26b7c0d6973c)