Description of problem: In issues.py, view_issue_raw_file() services issues attachments from pagure_config["ATTACHMENTS_FOLDER"]. The requested filename comes directly from the URL and is concatenated with the attachments folder and the repository name. @UI_NS.route("/<repo>/issue/raw/<path:filename>") @UI_NS.route("/<namespace>/<repo>/issue/raw/<path:filename>") @UI_NS.route("/fork/<username>/<repo>/issue/raw/<path:filename>") @UI_NS.route("/fork/<username>/<namespace>/<repo>/issue/raw/<path:filename>") @has_issue_tracker def view_issue_raw_file(repo, filename=None, username=None, namespace=None): # [...] attachdir = os.path.join( pagure_config["ATTACHMENTS_FOLDER"], repo.fullname ) attachpath = os.path.join(attachdir, filename) if not os.path.exists(attachpath): # [...] # At this moment, attachpath exists and points to the file with open(attachpath, "rb") as f: data = f.read() # [...] return (data, 200, pagure.lib.mimetype.get_type_headers(filename, data)) The "path" routing converter accepts all characters, including slashes and thus also directory traversal sequences. Version-Release number of selected component (if applicable): Introduced with commit 96c928b in release 3.0, and verified on latest commit as of today (fe91f76). How reproducible: This bug can be reproduced on the latest development version of Pagure; see steps below. It is important to note that reverse-proxies in front of Pagure can thwart exploitation attemps depending on their configuration, as they often try to normalize the URL. This is not a security feature and it shouldn't be relied upon. I could demonstrate it locally but not on stg.pagure.io after succint tests. Steps to Reproduce: 1. Create a new repository; 2. Go to "Settings", "Project Options" and make sure that "Issue tracker" is ticked; 3. Run the command curl --path-as-is 'http://pagure.local:5000/your-repository/issue/raw/../../../../../../../etc/passwd'. Actual results: On my test instance, the content of /etc/passwd is shown. Expected results: Only files under the intended attachments folder should be served. Additional info: Flask offers flask.send_from_directory() (https://flask.palletsprojects.com/en/3.0.x/api/#flask.send_from_directory) for such cases. https://bugzilla.redhat.com/show_bug.cgi?id=2279411
Created pagure tracking bugs for this issue: Affects: epel-all [bug 2280727] Affects: fedora-all [bug 2280728]
@ntait why was this ticket made public when it contains information about a CVE not fixed? (and how to reproduce/exploit it!)
@ntait the vulnerability is fixed in pagure, new fedora packages are released as well. All related bugs are resolved, do you want to close this one too?
Yep, thanks for the follow up.