File bnc_877009.patch of Package cobbler
From 45d63246ef628ab3f527168aa3e87e753e636cf0 Mon Sep 17 00:00:00 2001
From: Flavio Castelli <fcastelli@suse.com>
Date: Tue, 15 Jul 2014 11:36:30 +0200
Subject: [PATCH] Bug 877009 - VUL-0: CVE-2014-3225: cobbler: Local file
inclusion
---
cobbler/remote.py | 236 +++++++++++++++++++++++---------------
web/cobbler_web/views.py | 288 ++++++++++++++++++++++++-----------------------
2 files changed, 295 insertions(+), 229 deletions(-)
diff --git a/cobbler/remote.py b/cobbler/remote.py
index 5ce2350..bafde16 100644
--- a/cobbler/remote.py
+++ b/cobbler/remote.py
@@ -68,6 +68,9 @@ REMAP_COMPAT = {
"netboot-enabled" : "netboot_enabled"
}
+KICKSTART_TEMPLATE_BASE_DIR = "/var/lib/cobbler/kickstarts/"
+KICKSTART_SNIPPET_BASE_DIR = "/var/lib/cobbler/snippets/"
+
class CobblerThread(Thread):
def __init__(self,event_id,remote,logatron,options):
Thread.__init__(self)
@@ -1889,107 +1892,164 @@ class CobblerXMLRPCInterface:
self.check_access(token,"sync")
return self.api.sync()
- def read_or_write_kickstart_template(self,kickstart_file,is_read,new_data,token):
+ def _validate_ks_template_path(self, path):
"""
- Allows the web app to be used as a kickstart file editor. For security
- reasons we will only allow kickstart files to be edited if they reside in
- /var/lib/cobbler/kickstarts/ or /etc/cobbler. This limits the damage
- doable by Evil who has a cobbler password but not a system password.
- Also if living in /etc/cobbler the file must be a kickstart file.
+ Validate a kickstart template file path
+
+ @param str path kickstart template file path
"""
- if is_read:
- what = "read_kickstart_template"
- else:
- what = "write_kickstart_template"
+ if path.find("..") != -1 or not path.startswith("/"):
+ utils.die(self.logger, "Invalid kickstart template file location %s" % path)
- self._log(what,name=kickstart_file,token=token)
- self.check_access(token,what,kickstart_file,is_read)
-
- if kickstart_file.find("..") != -1 or not kickstart_file.startswith("/"):
- utils.die(self.logger,"tainted file location")
+ if not path.startswith(KICKSTART_TEMPLATE_BASE_DIR):
+ error = "Invalid kickstart template file location %s, it is not inside %s" % (path, KICKSTART_TEMPLATE_BASE_DIR)
+ utils.die(self.logger, error)
- if not kickstart_file.startswith("/etc/cobbler/") and not kickstart_file.startswith("/var/lib/cobbler/kickstarts"):
- utils.die(self.logger, "unable to view or edit kickstart in this location")
-
- if kickstart_file.startswith("/etc/cobbler/"):
- if not kickstart_file.endswith(".ks") and not kickstart_file.endswith(".cfg"):
- # take care to not allow config files to be altered.
- utils.die(self.logger, "this does not seem to be a kickstart file")
- if not is_read and not os.path.exists(kickstart_file):
- utils.die(self.logger, "new files must go in /var/lib/cobbler/kickstarts")
-
- if is_read:
- fileh = open(kickstart_file,"r")
- data = fileh.read()
- fileh.close()
- return data
- else:
- if new_data == -1:
- # delete requested
- if not self.is_kickstart_in_use(kickstart_file,token):
- os.remove(kickstart_file)
- else:
- utils.die(self.logger, "attempt to delete in-use file")
- else:
- fileh = open(kickstart_file,"w+")
- fileh.write(new_data)
- fileh.close()
- return True
+ def read_kickstart_template_file(self, file_path, token):
+ """
+ Read a kickstart template file
- def read_or_write_snippet(self,snippet_file,is_read,new_data,token):
+ @param str file_path kickstart template file path
+ @param ? token
+ @return str file content
"""
- Allows the WebUI to be used as a snippet file editor. For security
- reasons we will only allow snippet files to be edited if they reside in
- /var/lib/cobbler/snippets.
+
+ what = "read_kickstart_template"
+ self._log(what, name=file_path, token=token)
+ self.check_access(token, what, file_path, True)
+ self._validate_ks_template_path(file_path)
+
+ fileh = open(file_path, "r")
+ data = fileh.read()
+ fileh.close()
+
+ return data
+
+ def write_kickstart_template_file(self, file_path, data, token):
"""
- # FIXME: duplicate code with kickstart view/edit
- # FIXME: need to move to API level functions
+ Write a kickstart template file
- if is_read:
- what = "read_snippet"
- else:
- what = "write_snippet"
+ @param str file_path kickstart template file path
+ @param str data new file content
+ @param ? token
+ @return bool if operation was successful
+ """
- self._log(what,name=snippet_file,token=token)
- self.check_access(token,what,snippet_file,is_read)
-
- if snippet_file.find("..") != -1 or not snippet_file.startswith("/"):
- utils.die(self.logger, "tainted file location")
+ what = "write_kickstart_template"
+ self._log(what, name=file_path, token=token)
+ self.check_access(token, what, file_path, True)
+ self._validate_ks_template_path(file_path)
- # FIXME: shouldn't we get snippetdir from the settings?
- if not snippet_file.startswith("/var/lib/cobbler/snippets"):
- utils.die(self.logger, "unable to view or edit snippet in this location")
-
- if is_read:
- fileh = open(snippet_file,"r")
- data = fileh.read()
- fileh.close()
- return data
+ try:
+ utils.mkdir(os.path.dirname(file_path))
+ except:
+ utils.die(self.logger, "unable to create directory for kickstart template at %s" % file_path)
+
+ fileh = open(file_path, "w+")
+ fileh.write(data)
+ fileh.close()
+
+ return True
+
+ def remove_kickstart_template_file(self, file_path, token):
+ """
+ Remove a kickstart template file
+
+ @param str file_path kickstart template file path
+ @param ? token
+ @return bool if operation was successful
+ """
+
+ what = "write_kickstart_template"
+ self._log(what, name=file_path, token=token)
+ self.check_access(token, what, file_path, True)
+ self._validate_ks_template_path(file_path)
+
+ if not self.is_kickstart_in_use(file_path, token):
+ os.remove(file_path)
else:
- if new_data == -1:
- # FIXME: no way to check if something is using it
- os.remove(snippet_file)
- else:
- # path_part(a,b) checks for the path b to be inside path a. It is
- # guaranteed to return either an empty string (meaning b is NOT inside
- # a), or a path starting with '/'. If the path ends with '/' the sub-path
- # is a directory so we don't write to it.
-
- # FIXME: shouldn't we get snippetdir from the settings?
- path_part = utils.path_tail("/var/lib/cobbler/snippets",snippet_file)
- if path_part != "" and path_part[-1] != "/":
- try:
- utils.mkdir(os.path.dirname(snippet_file))
- except:
- utils.die(self.logger, "unable to create directory for snippet file: '%s'" % snippet_file)
- fileh = open(snippet_file,"w+")
- fileh.write(new_data)
- fileh.close()
- else:
- utils.die(self.logger, "invalid snippet file specified: '%s'" % snippet_file)
- return True
+ utils.die(self.logger, "attempt to delete in-use file")
+
+ return True
+
+ # FIXME: duplicated code for kickstart and snippet
+ # FIXME: need to move to API level functions
+
+ def _validate_ks_snippet_path(self, path):
+
+ if path.find("..") != -1 or not path.startswith("/"):
+ utils.die(self.logger, "Invalid kickstart snippet file location %s" % path)
+
+ if not path.startswith(KICKSTART_SNIPPET_BASE_DIR):
+ error = "Invalid kickstart snippet file location %s, it is not inside %s" % (path, KICKSTART_SNIPPET_BASE_DIR)
+ utils.die(self.logger, error)
+
+ def read_kickstart_snippet_file(self, file_path, token):
+ """
+ Read a kickstart snippet file
+
+ @param str file_path kickstart snippet file path
+ @param ? token
+ @return str file content
+ """
+
+ what = "read_kickstart_snippet"
+ self._log(what, name=file_path, token=token)
+ self.check_access(token, what, file_path, True)
+ self._validate_ks_snippet_path(file_path)
+
+ fileh = open(file_path, "r")
+ data = fileh.read()
+ fileh.close()
+
+ return data
+
+ def write_kickstart_snippet_file(self, file_path, data, token):
+ """
+ Write a kickstart snippet file
+
+ @param str file_path kickstart snippet file path
+ @param str data new file content
+ @param ? token
+ @return bool if operation was successful
+ """
+
+ what = "write_kickstart_snippet"
+ self._log(what, name=file_path, token=token)
+ self.check_access(token, what, file_path, True)
+ self._validate_ks_snippet_path(file_path)
+
+ try:
+ utils.mkdir(os.path.dirname(file_path))
+ except:
+ utils.die(self.logger, "unable to create directory for snippet at %s" % file_path)
+
+ fileh = open(file_path, "w+")
+ fileh.write(data)
+ fileh.close()
+
+ return True
+
+ def remove_kickstart_snippet_file(self, file_path, token):
+ """
+ Remove a kickstart snippet file
+
+ @param str file_path kickstart snippet file path
+ @param ? token
+ @return bool if operation was successful
+ """
+
+ what = "write_kickstart_snippet"
+ self._log(what, name=file_path, token=token)
+ self.check_access(token, what, file_path, True)
+ self._validate_ks_snippet_path(file_path)
+ # FIXME: could check if snippet is in use
+ snippet_file_path = KICKSTART_SNIPPET_BASE_DIR + file_path
+ os.remove(file_path)
+
+ return True
def power_system(self,object_id,power=None,token=None,logger=None):
"""
diff --git a/web/cobbler_web/views.py b/web/cobbler_web/views.py
index 692ba65..72ceb14 100644
--- a/web/cobbler_web/views.py
+++ b/web/cobbler_web/views.py
@@ -632,178 +632,184 @@ def import_run(request):
# ======================================================================
def ksfile_list(request, page=None):
- """
- List all kickstart templates and link to their edit pages.
- """
- if not test_user_authenticated(request): return login(request, next="/cobbler_web/ksfile/list", expired=True)
- ksfiles = remote.get_kickstart_templates(request.session['token'])
-
- ksfile_list = []
- for ksfile in ksfiles:
- if ksfile.startswith("/var/lib/cobbler/kickstarts") or ksfile.startswith("/etc/cobbler"):
- ksfile_list.append((ksfile,ksfile.replace('/var/lib/cobbler/kickstarts/',''),'editable'))
- elif ksfile.startswith("http://") or ksfile.startswith("ftp://"):
- ksfile_list.append((ksfile,ksfile,'','viewable'))
- else:
- ksfile_list.append((ksfile,ksfile,None))
+ """
+ List all kickstart templates and link to their edit pages.
+ """
+ if not test_user_authenticated(request):
+ return login(request, next="/cobbler_web/ksfile/list", expired=True)
+ ksfiles = remote.get_kickstart_templates(request.session['token'])
+
+ ksfile_list = []
+ base_dir = "/var/lib/cobbler/kickstarts/"
+ for ksfile in ksfiles:
+ if ksfile.startswith(base_dir):
+ ksfile_list.append((ksfile, ksfile.replace(base_dir, ''), 'editable'))
+ else:
+ return error_page(request, "Invalid kickstart template at %s, outside %s" % (ksfile, base_dir))
- t = get_template('ksfile_list.tmpl')
- html = t.render(RequestContext(request,{
- 'what':'ksfile',
- 'ksfiles': ksfile_list,
- 'version': remote.extended_version(request.session['token'])['version'],
- 'username': username,
- 'item_count': len(ksfile_list[0]),
- }))
- return HttpResponse(html)
+ t = get_template('ksfile_list.tmpl')
+ html = t.render(RequestContext(request, {
+ 'what': 'ksfile',
+ 'ksfiles': ksfile_list,
+ 'version': remote.extended_version(request.session['token'])['version'],
+ 'username': username,
+ 'item_count': len(ksfile_list[0]),
+ }))
+ return HttpResponse(html)
# ======================================================================
@csrf_protect
def ksfile_edit(request, ksfile_name=None, editmode='edit'):
- """
- This is the page where a kickstart file is edited.
- """
- if not test_user_authenticated(request): return login(request, next="/cobbler_web/ksfile/edit/file:%s" % ksfile_name, expired=True)
- if editmode == 'edit':
- editable = False
- else:
- editable = True
- deleteable = False
- ksdata = ""
- if not ksfile_name is None:
- editable = remote.check_access_no_fail(request.session['token'], "modify_kickstart", ksfile_name)
- deleteable = not remote.is_kickstart_in_use(ksfile_name, request.session['token'])
- ksdata = remote.read_or_write_kickstart_template(ksfile_name, True, "", request.session['token'])
-
- t = get_template('ksfile_edit.tmpl')
- html = t.render(RequestContext(request,{
- 'ksfile_name' : ksfile_name,
- 'deleteable' : deleteable,
- 'ksdata' : ksdata,
- 'editable' : editable,
- 'editmode' : editmode,
- 'version' : remote.extended_version(request.session['token'])['version'],
- 'username' : username
- }))
- return HttpResponse(html)
+ """
+ This is the page where a kickstart file is edited.
+ """
+ if not test_user_authenticated(request):
+ return login(request, next="/cobbler_web/ksfile/edit/file:%s" % ksfile_name, expired=True)
+ if editmode == 'edit':
+ editable = False
+ else:
+ editable = True
+ deleteable = False
+ ksdata = ""
+ if not ksfile_name is None:
+ editable = remote.check_access_no_fail(request.session['token'], "modify_kickstart", ksfile_name)
+ deleteable = not remote.is_kickstart_in_use(ksfile_name, request.session['token'])
+ ksdata = remote.read_kickstart_template(ksfile_name, request.session['token'])
+
+ t = get_template('ksfile_edit.tmpl')
+ html = t.render(RequestContext(request, {
+ 'ksfile_name': ksfile_name,
+ 'deleteable': deleteable,
+ 'ksdata': ksdata,
+ 'editable': editable,
+ 'editmode': editmode,
+ 'version': remote.extended_version(request.session['token'])['version'],
+ 'username': username
+ }))
+ return HttpResponse(html)
# ======================================================================
@require_POST
@csrf_protect
def ksfile_save(request):
- """
- This page processes and saves edits to a kickstart file.
- """
- if not test_user_authenticated(request): return login(request, next="/cobbler_web/ksfile/list", expired=True)
- # FIXME: error checking
+ """
+ This page processes and saves edits to a kickstart file.
+ """
+ if not test_user_authenticated(request):
+ return login(request, next="/cobbler_web/ksfile/list", expired=True)
+ # FIXME: error checking
- editmode = request.POST.get('editmode', 'edit')
- ksfile_name = request.POST.get('ksfile_name', None)
- ksdata = request.POST.get('ksdata', "").replace('\r\n','\n')
+ editmode = request.POST.get('editmode', 'edit')
+ ksfile_name = request.POST.get('ksfile_name', None)
+ ksdata = request.POST.get('ksdata', "").replace('\r\n', '\n')
- if ksfile_name == None:
- return HttpResponse("NO KSFILE NAME SPECIFIED")
- if editmode != 'edit':
- ksfile_name = "/var/lib/cobbler/kickstarts/" + ksfile_name
+ if ksfile_name == None:
+ return HttpResponse("NO KSFILE NAME SPECIFIED")
+ if editmode != 'edit':
+ ksfile_name = "/var/lib/cobbler/kickstarts/" + ksfile_name
- delete1 = request.POST.get('delete1', None)
- delete2 = request.POST.get('delete2', None)
+ delete1 = request.POST.get('delete1', None)
+ delete2 = request.POST.get('delete2', None)
- if delete1 and delete2:
- remote.read_or_write_kickstart_template(ksfile_name, False, -1, request.session['token'])
- return HttpResponseRedirect('/cobbler_web/ksfile/list')
- else:
- remote.read_or_write_kickstart_template(ksfile_name,False,ksdata,request.session['token'])
- return HttpResponseRedirect('/cobbler_web/ksfile/edit/file:%s' % ksfile_name)
+ if delete1 and delete2:
+ remote.remove_kickstart_template(ksfile_name, request.session['token'])
+ return HttpResponseRedirect('/cobbler_web/ksfile/list')
+ else:
+ remote.write_kickstart_template(ksfile_name, ksdata, request.session['token'])
+ return HttpResponseRedirect('/cobbler_web/ksfile/list')
# ======================================================================
def snippet_list(request, page=None):
- """
- This page lists all available snippets and has links to edit them.
- """
- if not test_user_authenticated(request): return login(request, next="/cobbler_web/snippet/list", expired=True)
- snippets = remote.get_snippets(request.session['token'])
-
- snippet_list = []
- for snippet in snippets:
- if snippet.startswith("/var/lib/cobbler/snippets"):
- snippet_list.append((snippet,snippet.replace("/var/lib/cobbler/snippets/",""),'editable'))
- else:
- snippet_list.append((snippet,snippet,None))
-
- t = get_template('snippet_list.tmpl')
- html = t.render(RequestContext(request,{
- 'what' : 'snippet',
- 'snippets' : snippet_list,
- 'version' : remote.extended_version(request.session['token'])['version'],
- 'username' : username
- }))
- return HttpResponse(html)
+ """
+ This page lists all available snippets and has links to edit them.
+ """
+ if not test_user_authenticated(request):
+ return login(request, next="/cobbler_web/snippet/list", expired=True)
+ snippets = remote.get_snippets(request.session['token'])
+
+ snippet_list = []
+ base_dir = "/var/lib/cobbler/snippets/"
+ for snippet in snippets:
+ if snippet.startswith(base_dir):
+ snippet_list.append((snippet, snippet.replace(base_dir, ""), 'editable'))
+ else:
+ return error_page(request, "Invalid snippet at %s, outside %s" % (snippet, base_dir))
+
+ t = get_template('snippet_list.tmpl')
+ html = t.render(RequestContext(request, {
+ 'what': 'snippet',
+ 'snippets': snippet_list,
+ 'version': remote.extended_version(request.session['token'])['version'],
+ 'username': username
+ }))
+ return HttpResponse(html)
# ======================================================================
@csrf_protect
def snippet_edit(request, snippet_name=None, editmode='edit'):
- """
- This page edits a specific snippet.
- """
- if not test_user_authenticated(request): return login(request, next="/cobbler_web/edit/file:%s" % snippet_name, expired=True)
- if editmode == 'edit':
- editable = False
- else:
- editable = True
- deleteable = False
- snippetdata = ""
- if not snippet_name is None:
- editable = remote.check_access_no_fail(request.session['token'], "modify_snippet", snippet_name)
- deleteable = True
- snippetdata = remote.read_or_write_snippet(snippet_name, True, "", request.session['token'])
-
- t = get_template('snippet_edit.tmpl')
- html = t.render(RequestContext(request,{
- 'snippet_name' : snippet_name,
- 'deleteable' : deleteable,
- 'snippetdata' : snippetdata,
- 'editable' : editable,
- 'editmode' : editmode,
- 'version' : remote.extended_version(request.session['token'])['version'],
- 'username' : username
- }))
- return HttpResponse(html)
+ """
+ This page edits a specific snippet.
+ """
+ if not test_user_authenticated(request):
+ return login(request, next="/cobbler_web/edit/file:%s" % snippet_name, expired=True)
+ if editmode == 'edit':
+ editable = False
+ else:
+ editable = True
+ deleteable = False
+ snippetdata = ""
+ if not snippet_name is None:
+ editable = remote.check_access_no_fail(request.session['token'], "modify_snippet", snippet_name)
+ deleteable = True
+ snippetdata = remote.read_kickstart_snippet(snippet_name, request.session['token'])
+
+ t = get_template('snippet_edit.tmpl')
+ html = t.render(RequestContext(request, {
+ 'snippet_name': snippet_name,
+ 'deleteable': deleteable,
+ 'snippetdata': snippetdata,
+ 'editable': editable,
+ 'editmode': editmode,
+ 'version': remote.extended_version(request.session['token'])['version'],
+ 'username': username
+ }))
+ return HttpResponse(html)
# ======================================================================
@require_POST
@csrf_protect
def snippet_save(request):
- """
- This snippet saves a snippet once edited.
- """
- if not test_user_authenticated(request): return login(request, next="/cobbler_web/snippet/list", expired=True)
- # FIXME: error checking
-
- editmode = request.POST.get('editmode', 'edit')
- snippet_name = request.POST.get('snippet_name', None)
- snippetdata = request.POST.get('snippetdata', "").replace('\r\n','\n')
-
- if snippet_name == None:
- return HttpResponse("NO SNIPPET NAME SPECIFIED")
- if editmode != 'edit':
- if snippet_name.find("/var/lib/cobbler/snippets/") != 0:
- snippet_name = "/var/lib/cobbler/snippets/" + snippet_name
-
- delete1 = request.POST.get('delete1', None)
- delete2 = request.POST.get('delete2', None)
-
- if delete1 and delete2:
- remote.read_or_write_snippet(snippet_name, False, -1, request.session['token'])
- return HttpResponseRedirect('/cobbler_web/snippet/list')
- else:
- remote.read_or_write_snippet(snippet_name,False,snippetdata,request.session['token'])
- return HttpResponseRedirect('/cobbler_web/snippet/edit/file:%s' % snippet_name)
+ """
+ This snippet saves a snippet once edited.
+ """
+ if not test_user_authenticated(request):
+ return login(request, next="/cobbler_web/snippet/list", expired=True)
+ # FIXME: error checking
+
+ editmode = request.POST.get('editmode', 'edit')
+ snippet_name = request.POST.get('snippet_name', None)
+ snippetdata = request.POST.get('snippetdata', "").replace('\r\n', '\n')
+
+ if snippet_name == None:
+ return HttpResponse("NO SNIPPET NAME SPECIFIED")
+ if editmode != 'edit':
+ if snippet_name.find("/var/lib/cobbler/snippets/") != 0:
+ snippet_name = "/var/lib/cobbler/snippets/" + snippet_name
+
+ delete1 = request.POST.get('delete1', None)
+ delete2 = request.POST.get('delete2', None)
+
+ if delete1 and delete2:
+ remote.remove_kickstart_snippet(snippet_name, request.session['token'])
+ return HttpResponseRedirect('/cobbler_web/snippet/list')
+ else:
+ remote.write_kickstart_snippet(snippet_name, snippetdata, request.session['token'])
+ return HttpResponseRedirect('/cobbler_web/snippet/list')
# ======================================================================
--
1.8.4.5
