File fix-script-endpoint-security-bug-1030582.patch of Package cobbler
Index: cobbler-2.6.6/cobbler/pxegen.py
===================================================================
--- cobbler-2.6.6.orig/cobbler/pxegen.py
+++ cobbler-2.6.6/cobbler/pxegen.py
@@ -1256,9 +1256,16 @@ class PXEGen:
else:
blended['img_path'] = os.path.join("/images",distro.name)
- template = os.path.normpath(os.path.join("/var/lib/cobbler/scripts",script_name))
- if not os.path.exists(template):
- return "# script template %s not found" % script_name
+ scripts_path = "/var/lib/cobbler/scripts"
+ template = os.path.normpath(os.path.join(scripts_path,script_name))
+
+ available_scripts = []
+ for root, folders, files in os.walk(scripts_path):
+ for file in files:
+ available_scripts.append(os.path.join(root, file))
+
+ if not template in available_scripts:
+ return "# script %s not found" % script_name
template_fh = open(template)
template_data = template_fh.read()