Nice find Matthias
Russell: the way we're using commonprefix here, we may as well just use startswith() i.e.
os.path.commonprefix([fs, absolute_path]) == fs
is equivalent to:
absolute_path.startswith(fs)
FWIW, the xenapi driver handles injected_files via the guest agent and isn't vulnerable.
Pádraig is right:
def _inject_key_into_fs(key, fs, execute=None): sshdir = os.path.join(fs, 'root', '.ssh') ... keyfile = os.path.join(sshdir, 'authorized_keys')
need to apply realpath() here too. Easiest is to add an 'append' arg to _inject_file_into_fs() and re-use that.
def _inject_metadata_into_fs(metadata, fs, execute=None): metadata_path = os.path.join(fs, "meta.js")
meta.js could be a symlink ... again, we should just use _inject_file_into_fs() here
Nice find Matthias
Russell: the way we're using commonprefix here, we may as well just use startswith() i.e.
os.path. commonprefix( [fs, absolute_path]) == fs
is equivalent to:
absolute_ path.startswith (fs)
FWIW, the xenapi driver handles injected_files via the guest agent and isn't vulnerable.
Pádraig is right:
def _inject_ key_into_ fs(key, fs, execute=None): join(sshdir, 'authorized_keys')
sshdir = os.path.join(fs, 'root', '.ssh')
...
keyfile = os.path.
need to apply realpath() here too. Easiest is to add an 'append' arg to _inject_ file_into_ fs() and re-use that.
def _inject_ metadata_ into_fs( metadata, fs, execute=None):
metadata_ path = os.path.join(fs, "meta.js")
meta.js could be a symlink ... again, we should just use _inject_ file_into_ fs() here