Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[2.15] fix installing roles with symlinks containing '..' (#82165) #82324

Merged
merged 1 commit into from
Jan 18, 2024
Merged

[2.15] fix installing roles with symlinks containing '..' (#82165) #82324

merged 1 commit into from
Jan 18, 2024
+231 −42

Conversation

s-hertel
Copy link
Contributor

@s-hertel s-hertel commented Nov 30, 2023
edited

SUMMARY

Backporting #82165

Set the tarfile attribute to a normalized value from unfrackpath instead of validating path parts and omiting potentially invald parts

Allow tarfile paths/links containing '..', '$', '~' as long as the normalized realpath is in the tarfile's role directory

(cherry picked from commit 3a42a00)

ISSUE TYPE
  • Bugfix Pull Request

@ansibot ansibot added bug This issue/PR relates to a bug. needs_triage Needs a first human triage before being processed. backport This PR does not target the devel branch. labels Nov 30, 2023
@webknjaz
Copy link
Member

webknjaz commented Dec 1, 2023

/azp run

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@ansibot ansibot added the needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. label Dec 1, 2023
@webknjaz
Copy link
Member

webknjaz commented Dec 7, 2023

@s-hertel try rebasing?

@webknjaz webknjaz added the ci_verified Changes made in this PR are causing tests to fail. label Dec 7, 2023
@ansibot ansibot added the stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. label Dec 14, 2023
@s-hertel
Targeted fix for installing roles with symlinks containing '..' (ansi…
4734b29 
…ble#82165)

Set the tarfile attribute to a normalized value from unfrackpath instead
of validating path parts and omiting potentially invald parts

Allow tarfile paths/links containing '..', '$', '~' as long as the
normalized realpath is in the tarfile's role directory

(cherry picked from commit 3a42a00)
@webknjaz

This comment was marked as resolved.

Sign in to view
@azure-pipelines Azure Pipelines

This comment was marked as outdated.

Sign in to view
@ansibot ansibot removed ci_verified Changes made in this PR are causing tests to fail. needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR. stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. labels Jan 2, 2024
@snowmobile2004
Copy link

Any update on this? Currently experiencing this bug on AWX 3.5.1.

@ansibot ansibot added the stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. label Jan 15, 2024
@sivel
Copy link
Member

sivel commented Jan 18, 2024

/azp run

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@ansibot ansibot removed the stale_ci This PR has been tested by CI more than one week ago. Close and re-open this PR to get it retested. label Jan 18, 2024
@sivel sivel merged commit 2477059 into ansible:stable-2.15 Jan 18, 2024
83 checks passed
@sivel sivel removed the needs_triage Needs a first human triage before being processed. label Jan 22, 2024
@ansible ansible locked and limited conversation to collaborators Feb 15, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
backport This PR does not target the devel branch. bug This issue/PR relates to a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@s-hertel @webknjaz @snowmobile2004 @sivel @ansibot