Symlink traversal in debian/copyright storing code
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
High
|
Julian Edwards |
Bug Description
From lp.archiveuploa
globpath = os.path.
for fullpath in glob.glob(
if not os.path.
Yeah, that's probably not such a good idea. If debian/copyright is a symlink, the upload processor will still dutifully read it in and store it in the database. The malicious uploader could do something like symlink to /dev/zero, causing memory exhaustion. Or they could symlink to some other file, submit a branch to get SPR.copyright exposed on the API, and get the contents of any readable file.
SPR.copyright fortunately isn't exposed anywhere yet AFAICT, so it's probably at worst a DoS.
Changed in soyuz: | |
status: | New → Confirmed |
importance: | Undecided → High |
status: | Confirmed → Triaged |
Changed in soyuz: | |
status: | Triaged → In Progress |
assignee: | nobody → Julian Edwards (julian-edwards) |
Changed in soyuz: | |
status: | Fix Committed → Fix Released |
visibility: | private → public |
This one will stick /etc/passwd into the new SPR's copyright column.