This repository has been archived by the owner on Sep 22, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 17
/
Copy path2017.7.8_CVE-2020-11652.patch
148 lines (138 loc) · 4.9 KB
/
2017.7.8_CVE-2020-11652.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
diff --git a/salt/auth/__init__.py b/salt/auth/__init__.py
index b24bbd4..fb61799 100644
--- a/salt/auth/__init__.py
+++ b/salt/auth/__init__.py
@@ -243,6 +243,8 @@ class LoadAuth(object):
not valid
'''
t_path = os.path.join(self.opts['token_dir'], tok)
+ if not salt.utils.verify.clean_path(self.opts['token_dir'], t_path):
+ return {}
if not os.path.isfile(t_path):
return {}
try:
diff --git a/salt/utils/verify.py b/salt/utils/verify.py
index 802b373..becf682 100644
--- a/salt/utils/verify.py
+++ b/salt/utils/verify.py
@@ -29,6 +29,7 @@ from salt.exceptions import SaltClientError, SaltSystemExit, \
import salt.defaults.exitcodes
import salt.utils
import salt.utils.files
+import salt.ext.six
log = logging.getLogger(__name__)
@@ -462,23 +463,69 @@ def check_max_open_files(opts):
log.log(level=level, msg=msg)
+def _realpath_darwin(path):
+ base = ''
+ for part in path.split(os.path.sep)[1:]:
+ if base != '':
+ if os.path.islink(os.path.sep.join([base, part])):
+ base = os.readlink(os.path.sep.join([base, part]))
+ else:
+ base = os.path.abspath(os.path.sep.join([base, part]))
+ else:
+ base = os.path.abspath(os.path.sep.join([base, part]))
+ return base
+
+
+def _realpath_windows(path):
+ base = ''
+ for part in path.split(os.path.sep):
+ if base != '':
+ try:
+ part = os.readlink(os.path.sep.join([base, part]))
+ base = os.path.abspath(part)
+ except OSError:
+ base = os.path.abspath(os.path.sep.join([base, part]))
+ else:
+ base = part
+ return base
+
+
+def _realpath(path):
+ '''
+ Cross platform realpath method. On Windows when python 3, this method
+ uses the os.readlink method to resolve any filesystem links. On Windows
+ when python 2, this method is a no-op. All other platforms and version use
+ os.path.realpath
+ '''
+ if salt.utils.is_darwin():
+ return _realpath_darwin(path)
+ elif salt.utils.is_windows():
+ if salt.ext.six.PY3:
+ return _realpath_windows(path)
+ else:
+ return path
+ return os.path.realpath(path)
+
+
def clean_path(root, path, subdir=False):
'''
Accepts the root the path needs to be under and verifies that the path is
under said root. Pass in subdir=True if the path can result in a
subdirectory of the root instead of having to reside directly in the root
'''
- if not os.path.isabs(root):
+ real_root = _realpath(root)
+ if not os.path.isabs(real_root):
return ''
if not os.path.isabs(path):
path = os.path.join(root, path)
path = os.path.normpath(path)
+ real_path = _realpath(path)
if subdir:
- if path.startswith(root):
- return path
+ if real_path.startswith(real_root):
+ return real_path
else:
- if os.path.dirname(path) == os.path.normpath(root):
- return path
+ if os.path.dirname(real_path) == os.path.normpath(real_root):
+ return real_path
return ''
diff --git a/salt/wheel/config.py b/salt/wheel/config.py
index 27733aa..a9c8f0b 100644
--- a/salt/wheel/config.py
+++ b/salt/wheel/config.py
@@ -12,6 +12,7 @@ import os
import yaml
# Import salt libs
+import salt.utils.verify
import salt.config
from salt.utils.yamldumper import SafeOrderedDumper
@@ -87,6 +88,10 @@ def update_config(file_name, yaml_contents):
os.makedirs(dir_path, 0o755)
file_path = os.path.join(dir_path, file_name)
+
+ if not salt.utils.verify.clean_path(dir_path, file_path):
+ return 'Invalid path'
+
with salt.utils.fopen(file_path, 'w') as fp_:
fp_.write(yaml_out)
diff --git a/salt/wheel/file_roots.py b/salt/wheel/file_roots.py
index ff13d39..23cef9b 100644
--- a/salt/wheel/file_roots.py
+++ b/salt/wheel/file_roots.py
@@ -24,6 +24,8 @@ def find(path, saltenv='base'):
return ret
for root in __opts__['file_roots'][saltenv]:
full = os.path.join(root, path)
+ if not salt.utils.verify.clean_path(root, full):
+ continue
if os.path.isfile(full):
# Add it to the dict
with salt.utils.fopen(full, 'rb') as fp_:
@@ -104,7 +106,10 @@ def write(data, path, saltenv='base', index=0):
if os.path.isabs(path):
return ('The path passed in {0} is not relative to the environment '
'{1}').format(path, saltenv)
- dest = os.path.join(__opts__['file_roots'][saltenv][index], path)
+ root = __opts__['file_roots'][saltenv][index]
+ dest = os.path.join(root, path)
+ if not salt.utils.verify.clean_path(root, dest, subdir=True):
+ return 'Invalid path: {}'.format(path)
dest_dir = os.path.dirname(dest)
if not os.path.isdir(dest_dir):
os.makedirs(dest_dir)