[Bug 750402] [NEW] Editing Kickstarts/Snippets errors with "tainted file location"
David Dyball
750402 at bugs.launchpad.net
Mon Apr 4 15:41:22 UTC 2011
Public bug reported:
Binary package hint: cobbler
Description: The latest packages for cobbler, cobbler-common and
cobbler-web in Natty, (cobbler-2.1.0-0ubuntu2) give an errors when
trying to use the web-based editor to modify kickstart or snippet files:
Release: Ubuntu Natty (development Branch) 11.04
Steps To Recreate
1) Install cobbler, cobbler-web and cobbler-common
2) Login to the web-interface
3) Navigate to "Snippets" and/or "Kickstart Templates"
4) Click "Edit" next to any file and get the error bellow:
What should happen:
- You should be able to edit files using the in-browser editor
What does happen:
- You get an error like the one bellow
--------------------------------------------------------------------------------------------------------------------------------
Fault at /ksfile/edit/var/lib/cobbler/kickstarts/default.ks
<Fault 1: "<class 'cobbler.cexceptions.CX'>:'tainted file location'">
Request Method: GET
Request URL: http://<servername-scrubbed>/cobbler_web/ksfile/edit/var/lib/cobbler/kickstarts/default.ks
Django Version: 1.2.5
Exception Type: Fault
Exception Value:
<Fault 1: "<class 'cobbler.cexceptions.CX'>:'tainted file location'">
Exception Location: /usr/lib/python2.7/xmlrpclib.py in close, line 793
Python Executable: /usr/bin/python
Python Version: 2.7.1
Python Path: ['/usr/lib/python2.7', '/usr/lib/python2.7/plat-linux2', '/usr/lib/python2.7/lib-tk', '/usr/lib/python2.7/lib-old', '/usr/lib/python2.7/lib-dynload', '/usr/local/lib/python2.7/dist-packages', '/usr/lib/python2.7/dist-packages', '/usr/lib/python2.7/dist-packages/gtk-2.0', '/usr/lib/pymodules/python2.7', '/usr/share/cobbler/web', '/usr/share/cobbler/web/cobbler_web']
Server time: Mon, 4 Apr 2011 15:32:43 +0000
--------------------------------------------------------------------------------------------------------------------------------
This appears to be a regression in the latest code for cobbler in
upstream (see initial reporting here: http://www.mail-archive.com
/cobbler-devel at lists.fedorahosted.org/msg01200.html) where the in-place
editor does not like handling files that don't begin with a "/".
A patch has been released (http://www.mail-archive.com/cobbler-
devel at lists.fedorahosted.org/msg01202.html):
--------------------------------------------------------------------------------------------------------------------------------
commit 41a92b11969ab9c30b749ab99be70566cd943093
Author: James Cammarata <j... at sngx.net>
Date: Wed Mar 30 16:42:18 2011 -0500
Fix for snippet/kickstart editing via the web interface, where a
'tainted file path' error was thrown
--------------------------------------------------------------------------------------------------------------------------------
URL:
https://github.com/jimi1283/cobbler/commit/41a92b11969ab9c30b749ab99be70566cd943093
Not sure if the decision will be to apply the patch to the Ubuntu
package, or wait for it to get put into upstream (seems serious enough
that it will be included though).
Cheers,
David.
** Affects: cobbler (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to cobbler in Ubuntu.
https://bugs.launchpad.net/bugs/750402
Title:
Editing Kickstarts/Snippets errors with "tainted file location"
More information about the Ubuntu-server-bugs
mailing list