Bug ID | 1122683 |
---|---|
Summary | osc: deprecate insecure APIs |
Classification | Internal Novell Products |
Product | openSUSE Build Service |
Version | master |
Hardware | Other |
OS | Other |
Status | NEW |
Severity | Normal |
Priority | P5 - None |
Component | osc |
Assignee | adrian@suse.com |
Reporter | malte.kraus@suse.com |
QA Contact | adrian@suse.com |
Found By | --- |
Blocker | --- |
From bnc#1119444: > > The OSC client has some vulnerable code in it, that it doesn't use itself but provides as a library to plugins. In one case there's even a comment explicitly marking this as insecure, but are not removed due to compatibility concerns. If not breaking backwards compatibility under any circumstances is that important, I recommend adding deprecation warnings (https://docs.python.org/2.6/library/warnings.html#temporarily-suppressing-warnings) to move plugins over to secure APIs. > > Can you create a dedicated request for this? Specifically, the 'unpack_srcrpm' function has such a warning as a comment. Also, 'Ar.saveTo', 'CpioRead.copyin' can be made to store files in arbitrary locations if the archive they parsed contain a filename starting with a "/".