d529863a1e
There's a security issue where it'd be possible to import images with backed files using the task engine and then use/convert those to access system files or any other file in the system. An example of an attack would be to import an image with a backing file pointing to `/etc/passwd`, then convert it to raw and download the generated image. This patch forbids importing files with baking files entirely. It does that in the `_ImportToFS` task, which is the one that imports the image locally to then execute other tasks on it. It's not necessary for the `_ImportToStore` task because other tasks won't be executed when the image is imported in the final store. Change-Id: I35f43c3b3f326942fb53b7dadb94700ac4513494 Closes-bug: #1471912 |
||
|---|---|---|
| .. | ||
| __init__.py | ||
| test_convert.py | ||
| test_import.py | ||
| test_introspect.py | ||