Attachment 1975184 Details for Bug 2219407 – proposed fix

[patch] proposed fix

0001-use-a-filter-when-extracting-a-config-backup-tarball.patch (text/plain), 3.44 KB, created by Tomas Jelinek on 2023-07-11 15:46:12 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Tomas Jelinek

Created: 2023-07-11 15:46:12 UTC

Size: 3.44 KB

patch

obsolete

>From 9d0bdcd42d29b1d7ca783d8b7585401ba59fffa9 Mon Sep 17 00:00:00 2001
>From: Tomas Jelinek <tojeline@redhat.com>
>Date: Tue, 11 Jul 2023 14:09:17 +0200
>Subject: [PATCH] use a filter when extracting a config backup tarball
>
>---
> CHANGELOG.md  |  5 +++++
> pcs/config.py | 26 ++++++++++++++++++++++++--
> 2 files changed, 29 insertions(+), 2 deletions(-)
>
>diff --git a/CHANGELOG.md b/CHANGELOG.md
>index 5117b337c..bdc4ca33e 100644
>--- a/CHANGELOG.md
>+++ b/CHANGELOG.md
>@@ -2,6 +2,10 @@
> 
> ## [Unreleased]
> 
>+### Security
>+- Make use of filters when extracting tarballs to enhance security if provided
>+  by Python (`pcs config restore` command) ([rhbz#2219407])
>+
> ### Fixed
> - Exporting constraints with rules in form of pcs commands now escapes `#` and
>   fixes spaces in dates to make the commands valid ([rhbz#2163953])
>@@ -20,6 +24,7 @@
> 
> [rhbz#2163953]: https://bugzilla.redhat.com/show_bug.cgi?id=2163953
> [rhbz#2217850]: https://bugzilla.redhat.com/show_bug.cgi?id=2217850
>+[rhbz#2219407]: https://bugzilla.redhat.com/show_bug.cgi?id=2219407
> 
> 
> ## [0.11.6] - 2023-06-20
>diff --git a/pcs/config.py b/pcs/config.py
>index 56c49aaeb..d750f52f7 100644
>--- a/pcs/config.py
>+++ b/pcs/config.py
>@@ -488,14 +488,36 @@ def config_restore_local(infile_name, infile_obj):
>                 if "rename" in extract_info and extract_info["rename"]:
>                     if tmp_dir is None:
>                         tmp_dir = tempfile.mkdtemp()
>-                    tarball.extractall(tmp_dir, [tar_member_info])
>+                    if hasattr(tarfile, "data_filter"):
>+                        # Safe way of extraction is available since Python 3.12,
>+                        # hasattr above checks if it's available.
>+                        # It's also backported to 3.11.4, 3.10.12, 3.9.17.
>+                        # It may be backported to older versions in downstream.
>+                        tarball.extractall(
>+                            tmp_dir, [tar_member_info], filter="data"
>+                        )
>+                    else:
>+                        # Unsafe way of extraction
>+                        # Remove once we don't support Python 3.8 and older
>+                        tarball.extractall(tmp_dir, [tar_member_info])
>                     path_full = extract_info["path"]
>                     shutil.move(
>                         os.path.join(tmp_dir, tar_member_info.name), path_full
>                     )
>                 else:
>                     dir_path = os.path.dirname(extract_info["path"])
>-                    tarball.extractall(dir_path, [tar_member_info])
>+                    if hasattr(tarfile, "data_filter"):
>+                        # Safe way of extraction is available since Python 3.12,
>+                        # hasattr above checks if it's available.
>+                        # It's also backported to 3.11.4, 3.10.12, 3.9.17.
>+                        # It may be backported to older versions in downstream.
>+                        tarball.extractall(
>+                            dir_path, [tar_member_info], filter="data"
>+                        )
>+                    else:
>+                        # Unsafe way of extracting
>+                        # Remove once we don't support Python 3.8 and older
>+                        tarball.extractall(dir_path, [tar_member_info])
>                     path_full = os.path.join(dir_path, tar_member_info.name)
>                 file_attrs = extract_info["attrs"]
>                 os.chmod(path_full, file_attrs["mode"])
>-- 
>2.30.2
>

Actions: View | Diff

Attachments on bug 2219407: 1975184