8000 Security: Prevent arbitrary file write and read by SchoolGuy · Pull Request #2797 · cobbler/cobbler · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Security: Prevent arbitrary file write and read #2797

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 21, 2021
Merged

Security: Prevent arbitrary file write and read #2797

merged 1 commit into from
Sep 21, 2021

Conversation

SchoolGuy
Copy link
Member
  • Prevent arbitrary file write through upload_log_data
  • Prevent arbitrary file read through generate_script
  • Prevent log poisoning
  • Check if modify_setting is really allowed (and adjust tests)

This is a backport of PR #2794
Git-SHA of Merge Commit on master: d8f60bb

@SchoolGuy
Security: Prevent arbitrary file write and read
c55c45d 
- Prevent arbitrary file write through upload_log_data
- Prevent arbitrary file read through generate_script
- Prevent log poisoning
- Check if modify_setting is really allowed (and adjust tests)

This is a backport of PR #2794
Git-SHA of Merge Commit on master: d8f60bb
@SchoolGuy SchoolGuy added Security backport Backported changes and features. labels Sep 21, 2021
@SchoolGuy SchoolGuy requested a review from a team September 21, 2021 06:49
@SchoolGuy SchoolGuy added this to the V3.2.2 milestone Sep 21, 2021
@codecov
Copy link
codecov bot commented Sep 21, 2021
edited
Loading

Codecov Report

Merging #2797 (c55c45d) into release32 (b595896) will decrease coverage by 0.05%.
The diff coverage is 18.51%.

Impacted file tree graph

@@              Coverage Diff              @@
##           release32    #2797      +/-   ##
=============================================
- Coverage      29.38%   29.33%   -0.06%     
=============================================
  Files             93       93              
  Lines          12898    12972      +74     
=============================================
+ Hits            3790     3805      +15     
- Misses          9108     9167      +59
Impacted Files Coverage Δ
cobbler/tftpgen.py 5.64% <7.69%> (+0.09%) ⬆️
cobbler/remote.py 19.30% <18.64%> (+0.06%) ⬆️
cobbler/utils.py 53.18% <20.00%> (-0.18%) ⬇️
cobbler/validate.py 19.54% <22.58%> (+0.92%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 28d03f8...c55c45d. Read the comment docs.

vzhestkov
vzhestkov reviewed Sep 21, 2021
View reviewed changes
@SchoolGuy SchoolGuy requested a review from vzhestkov September 21, 2021 07:57
agraul
agraul approved these changes Sep 21, 2021
View reviewed changes
Copy link
Contributor
@agraul agraul left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

vzhestkov
vzhestkov approved these changes Sep 21, 2021
View reviewed changes
Copy link
Contributor
@vzhestkov vzhestkov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good

meaksh
meaksh approved these changes Sep 21, 2021
View reviewed changes
Copy link
Member
@meaksh meaksh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@SchoolGuy SchoolGuy merged commit b0c7c6e into release32 Sep 21, 2021
@SchoolGuy SchoolGuy deleted the fix/release32-file-rce branch September 21, 2021 08:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@meaksh meaksh meaksh approved these changes

@agraul agraul agraul approved these changes

@vzhestkov vzhestkov vzhestkov approved these changes

Assignees
No one assigned
Labels
backport Backported changes and features. Security
Projects
None yet
Milestone
V3.2.2
Development

Successfully merging this pull request may close these issues.
4 participants
@SchoolGuy @meaksh @agraul @vzhestkov
0