Symlink traversal in debian/copyright storing code
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Launchpad itself |
Fix Released
|
High
|
Julian Edwards | ||
Bug Description
From lp.archiveuploa
globpath = os.path.
for fullpath in glob.glob(
if not os.path.
Yeah, that's probably not such a good idea. If debian/copyright is a symlink, the upload processor will still dutifully read it in and store it in the database. The malicious uploader could do something like symlink to /dev/zero, causing memory exhaustion. Or they could symlink to some other file, submit a branch to get SPR.copyright exposed on the API, and get the contents of any readable file.
SPR.copyright fortunately isn't exposed anywhere yet AFAICT, so it's probably at worst a DoS.
| William Grant (wgrant) wrote | #1 |
| William Grant (wgrant) wrote | #2 |
| William Grant (wgrant) wrote | #3 |
| William Grant (wgrant) wrote | #4 |
| Julian Edwards (julian-edwards) wrote | #5 |
| Changed in soyuz: | |
| status: | New → Confirmed |
| importance: | Undecided → High |
| status: | Confirmed → Triaged |
| Changed in soyuz: | |
| status: | Triaged → In Progress |
| assignee: | nobody → Julian Edwards (julian-edwards) |
| Julian Edwards (julian-edwards) wrote | #6 |
| tags: | added: soyuz-upload |
| Ursula Junque (ursinha) wrote Bug fixed by a commit | #7 |
| Changed in soyuz: | |
| milestone: | none → 10.03 |
| status: | In Progress → Fix Committed |
| tags: | added: qa-needstesting |
| Changed in soyuz: | |
| status: | Fix Committed → Fix Released |
| visibility: | private → public |
This one will stick /etc/passwd into the new SPR's copyright column.