Project

Profile

Help

Issue #9660

Updated by fao89 about 2 years ago

 

 **Ticket moved to GitHub**: "pulp/pulpcore/2091":https://github.com/pulp/pulpcore/issues/2091 




 ---- 


 Django addressed a security issue involving filepaths in a way that broke how pulpimport was using Storage: 

 In 3.14, the following failure in `pulp_rpm.tests.functional.api.test_pulpimport.ParallelImportTestCase testMethod=test_clean_import` : 

 ~~~ text 
 E pulp_smash.pulp3.bindings.PulpTaskError: (PulpTaskError(...), "Pulp task failed (Detected path traversal attempt in '/var/lib/pulp/media/artifact/d4/89a5ea552e5ea595976e39f891fe249e95d8eb40cbd7f50a46c0126a7072ab')") 
 ~~~ 

 Against core/main, the same test hangs. 

 The problem is that core/import builds a full-path to send to Storage.save(), which used to "work" but is now Not Allowed (for perfectly good security-reasons) 

 See https://github.com/pulp/pulpcore/blob/main/pulpcore/app/tasks/importer.py#L396 

Back