pagure

Clone

#5484 fix: Path traversal in view_issue_raw_file()
Merged a year ago by wombelix. Opened a year ago by wombelix.
wombelix/pagure fix_security_issue_rhbz2280728_rhbz2279411_path_traversal  into  master

file modified
+5 -1 
@@ -25,6 +25,7 @@ 
 

  import flask
 

  import pygit2
 

  import werkzeug.datastructures
 

+ import werkzeug.security
 

  from binaryornot.helpers import is_binary_string
 

  from six.moves.urllib.parse import urljoin
 

  from sqlalchemy.exc import SQLAlchemyError
 
@@ -1483,7 +1484,10 @@ 
 

      attachdir = os.path.join(
 

          pagure_config["ATTACHMENTS_FOLDER"], repo.fullname
 

      )
 

-     attachpath = os.path.join(attachdir, filename)
 

+ 

+     # sanitize path, filename must be inside attachdir to be valid
 

+     attachpath = werkzeug.security.safe_join(attachdir, filename)
 

+ 

      if not os.path.exists(attachpath):
 

          if not os.path.exists(attachdir):
 

              os.makedirs(attachdir)

Use 'werkzeug.security.safe_join()' instead of plain 'os.path.join()'
to sanitize user-provided filename variable and avoid escaping the base directory.

Vulnerability discovered by Thomas Chauchefoin thomas@chauchefoin.fr

Fixes: rhbz#2279411, rhbz#2280728, rhbz#2280726, CVE-2024-4982

Signed-off-by: Dominik Wombacher dominik@wombacher.cc

Metadata Update from @wombelix:
- Request assigned
a year ago

Patch reviewed and validated in Bugzilla. Tests performed locally, all passed.

rebased onto 9e1a5c4
a year ago

Pull-Request has been merged by wombelix
a year ago
Metadata
No Tags
Changes Summary 1
+5 -1
file changed
pagure/ui/issues.py
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.