Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-4314: Block repository access when user_root directory is empty or a relati… · ikus060/rdiffweb@b2df367

Improper Privilege Management in GitHub repository ikus060/rdiffweb prior to 2.5.2.

CVE
Open in Source
#web#git

@@ -52,7 +52,7 @@ class MockRdiffRepo(RdiffRepo): def __init__(self): p = bytes(pkg_resources.resource_filename(‘rdiffweb.core’, ‘tests’), encoding=’utf-8’) # @UndefinedVariable RdiffRepo.__init__(self, os.path.dirname§, os.path.basename§, encoding=’utf-8’) RdiffRepo.__init__(self, p, encoding=’utf-8’) self.root_path = MockDirEntry(self)

@@ -221,7 +221,7 @@ def setUp(self): # Define location of testcases self.testcases_dir = os.path.normpath(os.path.join(self.temp_dir, ‘testcases’)) self.testcases_dir = self.testcases_dir.encode(‘utf8’) self.repo = RdiffRepo(self.temp_dir, b’testcases’, encoding=’utf-8’) self.repo = RdiffRepo(os.path.join(self.temp_dir, ‘testcases’), encoding=’utf-8’)
def tearDown(self): shutil.rmtree(self.temp_dir.encode(‘utf8’), True) @@ -230,14 +230,13 @@ def test_init(self): self.assertEqual(‘testcases’, self.repo.display_name)
def test_init_with_absolute(self): self.repo = RdiffRepo(self.temp_dir, ‘/testcases’, encoding=’utf-8’) self.repo = RdiffRepo(os.path.join(self.temp_dir, ‘/testcases’), encoding=’utf-8’) self.assertEqual(‘testcases’, self.repo.display_name)
def test_init_with_invalid(self): self.repo = RdiffRepo(self.temp_dir, ‘invalid’, encoding=’utf-8’) self.repo = RdiffRepo(os.path.join(self.temp_dir, ‘invalid’), encoding=’utf-8’) self.assertEqual(‘failed’, self.repo.status[0]) self.assertEqual(None, self.repo.last_backup_date) self.assertEqual(b’invalid’, self.repo.path) self.assertEqual(‘invalid’, self.repo.display_name)
@parameterized.expand( @@ -534,7 +533,7 @@ def test_status_access_denied_current_mirror(self): 0000, ) # Create repo again to query status self.repo = RdiffRepo(self.temp_dir, b’testcases’, encoding=’utf-8’) self.repo = RdiffRepo(os.path.join(self.temp_dir, ‘testcases’), encoding=’utf-8’) status = self.repo.status self.assertEqual(‘failed’, status[0])
@@ -545,7 +544,7 @@ def test_status_access_denied_rdiff_backup_data(self): # Change the permissions of the files. os.chmod(os.path.join(self.testcases_dir, b’rdiff-backup-data’), 0000) # Query status. self.repo = RdiffRepo(self.temp_dir, b’testcases’, encoding=’utf-8’) self.repo = RdiffRepo(os.path.join(self.temp_dir, ‘testcases’), encoding=’utf-8’) status = self.repo.status self.assertEqual('failed’, status[0]) # Make sure history entry doesn’t raise error

Related news

GHSA-g594-55mp-f6q8: Improper Privilege Management in rdiffweb

Unauthorized access to settings update, logs , history, delete etc in GitHub repository ikus060/rdiffweb prior to 2.5.2.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE