Bug ID 1122683
Summary osc: deprecate insecure APIs
Classification Internal Novell Products
Product openSUSE Build Service
Version master
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component osc
Assignee adrian@suse.com
Reporter malte.kraus@suse.com
QA Contact adrian@suse.com
Found By ---
Blocker --- 

From bnc#1119444:

> > The OSC client has some vulnerable code in it, that it doesn't use itself but provides as a library to plugins. In one case there's even a comment explicitly marking this as insecure, but are not removed due to compatibility concerns. If not breaking backwards compatibility under any circumstances is that important, I recommend adding deprecation warnings (https://docs.python.org/2.6/library/warnings.html#temporarily-suppressing-warnings) to move plugins over to secure APIs.
> 
> Can you create a dedicated request for this?


Specifically, the 'unpack_srcrpm' function has such a warning as a comment.

Also, 'Ar.saveTo', 'CpioRead.copyin' can be made to store files in arbitrary
locations if the archive they parsed contain a filename starting with a "/".

You are receiving this mail because: