File v3-1-2-incomplete-template-sanatization.patch of Package cobbler

From 1ad50edbc2b122d0a9f6b85c66b1abc852a06472 Mon Sep 17 00:00:00 2001
From: Enno Gotthold <egotthold@suse.de>
Date: Fri, 28 Jan 2022 13:37:25 +0100
Subject: [PATCH] Security: Fix incomplete template sanitization

This is only affecting Cheetah templating.

Because of missing sanitization in "templar.py" it was possible to use
imports not on the "cheetah_import_whitelist" property in
"settings.yaml" defined in a template.

Example exploit:

"""
# from example import example
"""

After these changes this is not possible anymore.
---
 cobbler/templar.py    |  4 ++--
 tests/templar_test.py | 46 +++++++++++++++++++++++++++++--------------
 2 files changed, 33 insertions(+), 17 deletions(-)

Index: cobbler-3.1.2/cobbler/templar.py
===================================================================
--- cobbler-3.1.2.orig/cobbler/templar.py
+++ cobbler-3.1.2/cobbler/templar.py
@@ -79,8 +79,8 @@ class Templar(object):
         """
         lines = data.split("\n")
         for line in lines:
-            if line.find("#import") != -1:
-                rest = line.replace("#import", "").replace(" ", "").strip()
+            if line.find("#import") != -1 or line.find("#from") != -1:
+                rest = line.replace("#import", "").replace("#from", "").replace("import", ".").replace(" ", "").strip()
                 if self.settings and rest not in self.settings.cheetah_import_whitelist:
                     raise CX("potentially insecure import in template: %s" % rest)