rpms/pcs
7
0
Fork 0
Code Issues Pull Requests Releases Activity
e2eed6c9b4
pcs/bz2219407-01-use-a-filter-when-extracting-a-config-backup-tarball.patch
Michal Pospisil a8b1b4c1d8 Resolves: rhbz#2163953 rhbz#2216434 rhbz#2217850 rhbz#2219407 
- Added BuildRequires: debugedit - for generating MiniDebugInfo - triggered by removing find-debuginfo.sh from rpm
- Make use of filters when extracting tarballs to enhance security if provided by Python (pcs config restore command)
- Exporting constraints with rules in form of pcs commands now escapes # and fixes spaces in dates to make the commands valid
- Constraints containing options unsupported by pcs are not exported and a warning is printed instead
- Using spaces in dates in location constraint rules is deprecated
2023-07-12 16:54:23 +02:00

56 lines
2.7 KiB
Diff
Raw Blame History

From e47799cbdd588649872efd24d6bcfa78acb23ecb Mon Sep 17 00:00:00 2001
From: Tomas Jelinek <tojeline@redhat.com>
Date: Tue, 11 Jul 2023 14:09:17 +0200
Subject: [PATCH 3/3] use a filter when extracting a config backup tarball
---
pcs/config.py | 26 ++++++++++++++++++++++++--
1 file changed, 24 insertions(+), 2 deletions(-)
diff --git a/pcs/config.py b/pcs/config.py
index 56c49aae..d750f52f 100644
--- a/pcs/config.py
+++ b/pcs/config.py
@@ -488,14 +488,36 @@ def config_restore_local(infile_name, infile_obj):
if "rename" in extract_info and extract_info["rename"]:
if tmp_dir is None:
tmp_dir = tempfile.mkdtemp()
- tarball.extractall(tmp_dir, [tar_member_info])
+ if hasattr(tarfile, "data_filter"):
+ # Safe way of extraction is available since Python 3.12,
+ # hasattr above checks if it's available.
+ # It's also backported to 3.11.4, 3.10.12, 3.9.17.
+ # It may be backported to older versions in downstream.
+ tarball.extractall(
+ tmp_dir, [tar_member_info], filter="data"
+ )
+ else:
+ # Unsafe way of extraction
+ # Remove once we don't support Python 3.8 and older
+ tarball.extractall(tmp_dir, [tar_member_info])
path_full = extract_info["path"]
shutil.move(
os.path.join(tmp_dir, tar_member_info.name), path_full
)
else:
dir_path = os.path.dirname(extract_info["path"])
- tarball.extractall(dir_path, [tar_member_info])
+ if hasattr(tarfile, "data_filter"):
+ # Safe way of extraction is available since Python 3.12,
+ # hasattr above checks if it's available.
+ # It's also backported to 3.11.4, 3.10.12, 3.9.17.
+ # It may be backported to older versions in downstream.
+ tarball.extractall(
+ dir_path, [tar_member_info], filter="data"
+ )
+ else:
+ # Unsafe way of extracting
+ # Remove once we don't support Python 3.8 and older
+ tarball.extractall(dir_path, [tar_member_info])
path_full = os.path.join(dir_path, tar_member_info.name)
file_attrs = extract_info["attrs"]
os.chmod(path_full, file_attrs["mode"])
--
2.41.0
Reference in New Issue View Git Blame Copy Permalink