Actions
Backport #9663
closedBackport #9660 "django update broke pulpimport filestorage-usage" to 3.16.z
Start date:
Due date:
% Done:
100%
Estimated time:
Triaged:
No
Sprint Candidate:
No
Tags:
Katello
Sprint:
Sprint 111
Quarter:
Description
Django addressed a security issue involving filepaths in a way that broke how pulpimport was using Storage:
In 3.14, the following failure in pulp_rpm.tests.functional.api.test_pulpimport.ParallelImportTestCase testMethod=test_clean_import
:
E pulp_smash.pulp3.bindings.PulpTaskError: (PulpTaskError(...), "Pulp task failed (Detected path traversal attempt in '/var/lib/pulp/media/artifact/d4/89a5ea552e5ea595976e39f891fe249e95d8eb40cbd7f50a46c0126a7072ab')")
Against core/main, the same test hangs.
The problem is that core/import builds a full-path to send to Storage.save(), which used to "work" but is now Not Allowed (for perfectly good security-reasons)
See https://github.com/pulp/pulpcore/blob/main/pulpcore/app/tasks/importer.py#L396
Related issues
Actions
Fix PulpImport in the presence of Django path-traversal CVE fix.
backports #9660. [nocoverage]
fixes #9663
(cherry picked from commit ba1b9fa22ff59d63093560c3d03e26b7c0d6973c)