Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
systemsmanagement:Uyuni:Snapshots:2022.06
cobbler
v3-1-2-incomplete-template-sanatization.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File v3-1-2-incomplete-template-sanatization.patch of Package cobbler
From 1ad50edbc2b122d0a9f6b85c66b1abc852a06472 Mon Sep 17 00:00:00 2001 From: Enno Gotthold <egotthold@suse.de> Date: Fri, 28 Jan 2022 13:37:25 +0100 Subject: [PATCH] Security: Fix incomplete template sanitization This is only affecting Cheetah templating. Because of missing sanitization in "templar.py" it was possible to use imports not on the "cheetah_import_whitelist" property in "settings.yaml" defined in a template. Example exploit: """ # from example import example """ After these changes this is not possible anymore. --- cobbler/templar.py | 4 ++-- tests/templar_test.py | 46 +++++++++++++++++++++++++++++-------------- 2 files changed, 33 insertions(+), 17 deletions(-) Index: cobbler-3.1.2/cobbler/templar.py =================================================================== --- cobbler-3.1.2.orig/cobbler/templar.py +++ cobbler-3.1.2/cobbler/templar.py @@ -79,8 +79,8 @@ class Templar(object): """ lines = data.split("\n") for line in lines: - if line.find("#import") != -1: - rest = line.replace("#import", "").replace(" ", "").strip() + if line.find("#import") != -1 or line.find("#from") != -1: + rest = line.replace("#import", "").replace("#from", "").replace("import", ".").replace(" ", "").strip() if self.settings and rest not in self.settings.cheetah_import_whitelist: raise CX("potentially insecure import in template: %s" % rest)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor