Bug #24011
closed
Archiving allows to read inconsistent active technique category ids
Added by Clark ANDRIANASOLO 4 months ago.
Updated 2 months ago.
Category:
Web - Maintenance
Severity:
Minor - inconvenience | misleading | easy workaround
Description
When importing an archive from git, the id of the active technique category is never sanitized and it could lead to inconsistent behavior like creating other directories outside /var/rudder/configuration-repository when restoring the archive e.g. when an id contains relative file paths characters.
- Status changed from New to In progress
- Description updated (diff)
- Description updated (diff)
- Status changed from In progress to Pending technical review
- Assignee changed from Clark ANDRIANASOLO to Alexis Mousset
- Pull Request set to https://github.com/Normation/rudder/pull/5314
- Target version changed from 7.3.11 to 7.3.12
- Status changed from Pending technical review to Pending release
- Fix check changed from To do to Checked
It does no longer create additional files when hacking the xml content in the configuration-repository : /home/user/test.xml file is no longer created when I edit a directive to have an id ../../../../../../home/user/test, and I archive and then re-import the archive.
(not sure though why the error is silent)
- Status changed from Pending release to Released
This bug has been fixed in Rudder 7.3.12 and 8.0.6 which were released today.
Also available in: Atom
PDF
Updated by 
Updated by