Ubuntu
cobbler package

Editing Kickstarts/Snippets errors with "tainted file location"

Bug #750402 reported by David Dyball
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cobbler (Ubuntu)
Fix Released
High
Dustin Kirkland 

Bug Description

Binary package hint: cobbler

Description: The latest packages for cobbler, cobbler-common and cobbler-web in Natty, (cobbler-2.1.0-0ubuntu2) give an errors when trying to use the web-based editor to modify kickstart or snippet files:

Release: Ubuntu Natty (development Branch) 11.04

Steps To Recreate
1) Install cobbler, cobbler-web and cobbler-common
2) Login to the web-interface
3) Navigate to "Snippets" and/or "Kickstart Templates"
4) Click "Edit" next to any file and get the error bellow:

What should happen:
- You should be able to edit files using the in-browser editor

What does happen:
- You get an error like the one bellow

--------------------------------------------------------------------------------------------------------------------------------
Fault at /ksfile/edit/var/lib/cobbler/kickstarts/default.ks

<Fault 1: "<class 'cobbler.cexceptions.CX'>:'tainted file location'">

Request Method: GET
Request URL: http://<servername-scrubbed>/cobbler_web/ksfile/edit/var/lib/cobbler/kickstarts/default.ks
Django Version: 1.2.5
Exception Type: Fault
Exception Value:

<Fault 1: "<class 'cobbler.cexceptions.CX'>:'tainted file location'">

Exception Location: /usr/lib/python2.7/xmlrpclib.py in close, line 793
Python Executable: /usr/bin/python
Python Version: 2.7.1
Python Path: ['/usr/lib/python2.7', '/usr/lib/python2.7/plat-linux2', '/usr/lib/python2.7/lib-tk', '/usr/lib/python2.7/lib-old', '/usr/lib/python2.7/lib-dynload', '/usr/local/lib/python2.7/dist-packages', '/usr/lib/python2.7/dist-packages', '/usr/lib/python2.7/dist-packages/gtk-2.0', '/usr/lib/pymodules/python2.7', '/usr/share/cobbler/web', '/usr/share/cobbler/web/cobbler_web']
Server time: Mon, 4 Apr 2011 15:32:43 +0000
--------------------------------------------------------------------------------------------------------------------------------

This appears to be a regression in the latest code for cobbler in upstream (see initial reporting here: http://<email address hidden>/msg01200.html) where the in-place editor does not like handling files that don't begin with a "/".

A patch has been released (http://<email address hidden>/msg01202.html):

--------------------------------------------------------------------------------------------------------------------------------
commit 41a92b11969ab9c30b749ab99be70566cd943093
Author: James Cammarata <email address hidden>
Date: Wed Mar 30 16:42:18 2011 -0500

    Fix for snippet/kickstart editing via the web interface, where a
'tainted file path' error was thrown
--------------------------------------------------------------------------------------------------------------------------------

URL: https://github.com/jimi1283/cobbler/commit/41a92b11969ab9c30b749ab99be70566cd943093

Not sure if the decision will be to apply the patch to the Ubuntu package, or wait for it to get put into upstream (seems serious enough that it will be included though).

Cheers,
David.

Related branches

lp:ubuntu/natty/cobbler
Revision history for this message
David Dyball (david-dyball) wrote :

Confirmed that the following patch and changes works to fix the problem:

https://github.com/jimi1283/cobbler/commit/41a92b11969ab9c30b749ab99be70566cd943093

Dustin Kirkland  (kirkland)
Changed in cobbler (Ubuntu):
status: New → Confirmed
importance: Undecided → High
Revision history for this message
Dustin Kirkland  (kirkland) wrote :

Thanks, David.

Pardon me for being unfamiliar with github, but can I just get a raw diff from that link?

Changed in cobbler (Ubuntu):
assignee: nobody → Dustin Kirkland (kirkland)
status: Confirmed → In Progress
Revision history for this message
Dustin Kirkland  (kirkland) wrote :

Okay, I just cloned the branch and cherry picked it.

Revision history for this message
Dustin Kirkland  (kirkland) wrote :

David,

Are you, or is the author of this patch upstreaming this to the
cobbler project itself?

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cobbler - 2.1.0-0ubuntu4

---------------
cobbler (2.1.0-0ubuntu4) natty; urgency=low

  * debian/patches/36_tainted_file_path.patch: cherry-pick fix
    to tainted file path errors, LP: #750402
 -- Dustin Kirkland <email address hidden> Mon, 04 Apr 2011 13:14:13 -0500

Changed in cobbler (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
David Dyball (david-dyball) wrote :

Hi Dustin,

The github repo appears to just be a working-copy of the upstream source tree for that particular devs work, so I can't say yes/no to it being committed upstream, or even if the copy on that particular repo is recent... It is maintained by "jimi1283" which could be a handle for James Cammarata, one of the regular cobbler contributors. I can pursue this upstream if it's better suited there though?

I can generate a diff based on the modifications I made to get it working though. Can you confirm that the latest Ubuntu package in Natty is built from recent upstream source? (this should save me having to pull it myself and test the newest source myself before submitting a patch).

This is really the first bug-report I've ever filed for anything... so I am easy pleased to send it upstream rather than provide a ubuntu-only patch.

Cheers for looking into this Dustin. It's most appreciated.

David.

Revision history for this message
David Dyball (david-dyball) wrote :

Just saw https://launchpad.net/ubuntu/+source/cobbler/2.1.0-0ubuntu4 that has the patch. Will pull this and try now on my test system.

Cheers,
Dave.

Revision history for this message
Dustin Kirkland  (kirkland) wrote : Re: [Bug 750402] Re: Editing Kickstarts/Snippets errors with "tainted file location"

On Mon, Apr 4, 2011 at 4:15 PM, David Dyball <email address hidden> wrote:
> Just saw https://launchpad.net/ubuntu/+source/cobbler/2.1.0-0ubuntu4
> that has the patch. Will pull this and try now on my test system.

Right, I did a quick sniff test and it seemed to work well for me, so
I uploaded it. If you could confirm the fix, that would be
phenomenal!

--
:-Dustin

Revision history for this message
Dustin Kirkland  (kirkland) wrote :

On Mon, Apr 4, 2011 at 4:05 PM, David Dyball <email address hidden> wrote:
> The github repo appears to just be a working-copy of the upstream source
> tree for that particular devs work, so I can't say yes/no to it being
> committed upstream, or even if the copy on that particular repo is
> recent... It is maintained by "jimi1283" which could be a handle for
> James Cammarata, one of the regular cobbler contributors. I can pursue
> this upstream if it's better suited there though?

We would *greatly* appreciate it if you could report this bug
upstream, pointing to the commit and just asking if upstream is aware
of the issue, and intends on fixing it, and if the proposed patch is
suitable or completely unacceptable for some reason.

In Ubuntu, we do carry patches against Debian and/or upstream sources,
but we really want to try and keep that delta to a minimum, and ensure
that such fixes find their way into upstream eventually and over time,
so that our delta does not increase uncontrollably.

> I can generate a diff based on the modifications I made to get it
> working though. Can you confirm that the latest Ubuntu package in Natty
> is built from recent upstream source? (this should save me having to
> pull it myself and test the newest source myself before submitting a
> patch).

The Ubuntu package is built from the very recent Cobbler 2.1 GA
release. No need to build, though, as a subsequent email from you
confirms you found that I have uploaded this fix already.

> This is really the first bug-report I've ever filed for anything... so I
> am easy pleased to send it upstream rather than provide a ubuntu-only
> patch.

:-) Welcome!

> Cheers for looking into this Dustin. It's most appreciated.

You bet. Thanks for your contributions, testing, re-testing, and
finding patches. Cheers!

--
:-Dustin

Revision history for this message
David Dyball (david-dyball) wrote :

Confirmed that 2.1.0-0ubuntu4 fixes this issue.

Going to head upstream and try and make them aware of it, if they aren't already.

Cheers,
David.

Revision history for this message
David Dyball (david-dyball) wrote :

Confirmed that jimi1283 is indeed James Cammarata and that he is one of the primary contributors for cobbler, so the aforementioned patches are indeed James' work and he is aware of the issue. Hopefully his patch will work its way into the upstream.

Under these circumstances, what are the options? Will cobbler get built with patch-36 ("tainted file location patch") for cobbler-2.1.0-0ubuntu4, or will we just make continuous checks of upstream to wait for them to fix the issue?

I will run with the deb-source packages for ubuntu4 that you uploaded this evening though.

On a side-note, this "contributing" thing is rather cool. Might have to keep it up ;-)

David.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.