On 05.09.2014 [15:00:45 -0700], Nishanth Aravamudan wrote: > On 02.09.2014 [08:25:12 -0700], Nishanth Aravamudan wrote: > > On 31.08.2014 [10:15:01 +0200], J?rgen Maas wrote: > > > This is definitely a bug, i will take a look at it. > > > > > > FYI, the master branch is slated to become cobbler 3.0, this means > > > functionality and API may (and shall) change or can be removed altogether > > > (eg. s390/itanium). > > > > Yep, that's fine with me, to be honest. But one thing I'd like to see > > improved is the commit logs indicating what is functionally changing > > (even if just the intent). The logs right now are a bit terse and it > > takes looking at the actual commit to know what they do often :) > > > > > One other example is the remote kickstart URL feature; this has been > > > removed on purpose also as a result of multiple CVE reports. > > > Kickstarts *must* reside on the Cobbler server and also they *must* be in > > > the directory /var/lib/cobbler/kickstarts/ > > > > I wonder if it would be possible to provide a mirroring? That is, if the > > kickstart referenced is remote, can it not be mirrored over as part of > > the sync and thus be local for the deployment itself? I suppose if > > that's the case, the admin could just mirror them over. > > > > I do think there's one use-case that is no longer supported, but isn't a > > CVE -- users testing custom kickstarts. Presuming a good authorization > > model, regular users may not be allowed to edit the Cobbler-wide > > kickstarts. But they might want to test some custom partitioning, or > > feature flag, and would like to specify that in their kickstart file? > > FYI, found another bug introduced by this commit: > > remote.write_kickstart_template now calls > > file_path = validate.kickstart_file_path(file_path, for_item=False) > > but that does the following check: > > if not os.path.isfile(kickstart): > raise CX("Invalid kickstart template file location %s, file not found" % > kickstart) > > which doesn't make a lot of sense for writing the kickstart from the > webUI? (on creating a new one).
Something like the following? I'll send through a github pull request if it seems reasonable: diff --git a/cobbler/remote.py b/cobbler/remote.py index 835d29f..069e167 100644 --- a/cobbler/remote.py +++ b/cobbler/remote.py @@ -1991,7 +1991,7 @@ class CobblerXMLRPCInterface: what = "write_kickstart_template" self._log(what, name=file_path, token=token) self.check_access(token, what, file_path, True) - file_path = validate.kickstart_file_path(file_path, for_item=False) + file_path = validate.kickstart_file_path(file_path, for_item=False, write=True) try: utils.mkdir(os.path.dirname(file_path)) diff --git a/cobbler/validate.py b/cobbler/validate.py index ff63b8a..3727edf 100644 --- a/cobbler/validate.py +++ b/cobbler/validate.py @@ -84,7 +84,7 @@ def snippet_file_path(snippet): return snippet -def kickstart_file_path(kickstart, for_item=True): +def kickstart_file_path(kickstart, for_item=True, write=False): """ Validate the kickstart file path. @@ -113,7 +113,7 @@ def kickstart_file_path(kickstart, for_item=True): if not kickstart.startswith(KICKSTART_TEMPLATE_BASE_DIR): raise CX("Invalid kickstart template file location %s, it is not inside - if not os.path.isfile(kickstart): + if not os.path.isfile(kickstart) and not write: raise CX("Invalid kickstart template file location %s, file not found" return kickstart _______________________________________________ cobbler-devel mailing list cobbler-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/cobbler-devel