reposync: check for .. in remote paths. BZ 1506205 #43
Conversation
dmnks
force-pushed
the
bz1552328
branch
2 times, most recently
from
3710cd8
to
1882935
Compare
For better readability (remote_path == relativepath).
|
@m-blaha Marek, could you please review my patch? Thank you! |
| if is_subpath(pkg.remote_path, local_repo_path): | ||
| newlist.append(pkg) | ||
| continue | ||
| my.logger.warning( |
There was a problem hiding this comment.
A primary user of ../ paths is google compute engine's package repo. They have an odd yum repo structure where they use a ../../pool/ directory for packages similar to apt repos. We'd really like to mirror this repo into a directory of our choosing, so we hacked around it by running reposync with the --urls option and using wget to download those URLs into the correct directory structure. It'd be great if the reposync command could do the same instead of skipping these packages, I'm sure others have come across this issue.
There was a problem hiding this comment.
That's why we made it possible to enable the original (unsafe) behavior; just pass the --allow-path-traversal CLI option.
|
Unfortunately, that argument allows actually path traversal on the filesystem. We have a fixed directory on our server for packages and we want all of these packages to live somewhere under that directory. So one option is to strip out the path traversal characters so we treat it as a relative path. For example, if the desired directory to download into was The other solution could be to have a flag to flatten it all to one dir so it would end up being |
|
Ah ok, gotcha. The thing is, reposync (the original yum-based implementation in this repo) is no longer actively developed upstream. We are still fixing occasional bugs reported by our (Red Hat) customers, but we no longer backport new features into RHEL-7/CentOS7. This would definitely fall into the "features" bucket. The community has moved to the dnf-based version of reposync which is shipped to Fedora, RHEL-8 and even RHEL-7 via the Extras channel (as a self-supported tech-preview). The use case you described makes sense and you're welcome to file an RFE against Fedora or, if you're a RH customer, a support ticket, to request such a feature, or better yet, just create a PR! :) |
|
That being said, (not to sound negative :) you’re welcome to contribute a PR here and I’d be happy to merge it for you, but like I said, you’d still have to make your own build of yum-utils in order to get that into RHEL/CentOS, I’m afraid. At that point, it’d probably be easier to just maintain your own fork. |
|
@dmnks you definitely don't sound negative, we patch plenty of distro packages, so that isn't unreasonable to me and we also already have hacked around this with That said, since currently stuck on 6, I didn't realize there was a dnf based version of this tool, but if course there is. I might actually switch over to that on our repo mirrors and handle it in the more modern dnf based tool. |
No description provided.