1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

6 Commits

Author SHA1 Message Date
Joseph Sutton
fce882ab67 python: Remove unused imports
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-08-30 02:15:29 +00:00
Noel Power
e401ae44b2 python/samba: Adjust tarfile extraction filter
The 'data_filter' is far too restrictive, this filter doesn't apply any
mode bits to directories which in turn will result in unexpected
directory permissions of the amongst others msg.[ls]ock directories.

With 'data_filter' and a 'patched' python at best we experience
CI failures with samba-ad-back1 & samba-ad-back2 CI jobs due to server
startup failures, at worst user/admins will need to adjust directory
permissions post backup.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15390

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-07-21 01:25:37 +00:00
Andreas Schneider
1f74f9f366 python:safe_tarfile: Improve safe extract()
This also checks for symlinks and hardlinks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15390

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-06-14 22:57:34 +00:00
Andreas Schneider
431f7698e4 python:safe_tarfile: Implement safer extractall()
This also checks for symlinks and hardlinks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15390

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-06-14 22:57:34 +00:00
Andreas Schneider
8c90c66a9a python:safe_tarfile: Set extraction_filter for pythons providing it
It should be available for Python >= 3.11.4 but also has been
backported.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15390

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2023-06-14 22:57:34 +00:00
Douglas Bagnall
37406b9d97 CVE-2007-4559 python: ensure sanity in our tarfiles
Python's tarfile module is not very careful about paths that step out
of the target directory. We can be a bit better at little cost.

This was reported in 2007[1], and has recently been publicised [2, for
example].

We were informed of this bug in December 2021 by Luis Alberto López
Alvar, but decided then that there were no circumstances under which
this was a security concern. That is, if you can alter the backup
files, you can already do worse things. But there is a case to guard
against an administrator being tricked into trying to restore a file
that isn't based on a real backup.

[1] https://nvd.nist.gov/vuln/detail/CVE-2007-4559
[2] https://www.theregister.com/2022/09/22/python_vulnerability_tarfile/

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15185

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Oct  4 03:48:43 UTC 2022 on sn-devel-184
2022-10-04 03:48:43 +00:00