Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix issue2777: prevent filenames with relative paths #2779

Merged
merged 1 commit into from
Jul 31, 2023
Merged

Fix issue2777: prevent filenames with relative paths #2779

merged 1 commit into from
Jul 31, 2023

Conversation

keflavich
Copy link
Contributor

@keflavich keflavich commented Jul 24, 2023
edited by bsipocz
Loading

WIP - first commit (3222132) addresses the possibility that filename= given in the Content-Disposition header could contain a full path and could be used to overwrite pickle files in the cache directories.

See issue #2777 for more info

@keflavich keflavich mentioned this pull request Jul 24, 2023
Open
@codecov
Copy link

codecov bot commented Jul 24, 2023
edited
Loading

Codecov Report

❗ No coverage uploaded for pull request base (main@6f7ae8b). Click here to learn what that means.
The diff coverage is 57.14%.

❗ Current head c1bb7bd differs from pull request most recent head 9da4965. Consider uploading reports for the commit 9da4965 to get more accurate results

@@           Coverage Diff           @@
##             main    #2779   +/-   ##
=======================================
  Coverage        ?   66.09%           
=======================================
  Files           ?      235           
  Lines           ?    18073           
  Branches        ?        0           
=======================================
  Hits            ?    11946           
  Misses          ?     6127           
  Partials        ?        0
Files Changed Coverage Δ
astroquery/esa/iso/core.py 64.58% <50.00%> (ø)
astroquery/esa/xmm_newton/core.py 64.56% <50.00%> (ø)
astroquery/utils/tap/conn/tapconn.py 47.44% <50.00%> (ø)
astroquery/alma/core.py 55.57% <100.00%> (ø)

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@bsipocz bsipocz added this to the v0.4.7 milestone Jul 25, 2023
@keflavich keflavich requested a review from bsipocz July 31, 2023 13:30
ceb8
ceb8 approved these changes Jul 31, 2023
View reviewed changes
Copy link
Member

@ceb8 ceb8 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@bsipocz
Copy link
Member

bsipocz commented Jul 31, 2023

@keflavich - could you please rebase?

@keflavich
Copy link
Contributor Author

done. Code style failures are all unrelated. Did you enable more aggressive checks recently? I'll be happy to fix them, as they're all easy, but they don't apply to this PR

@bsipocz
Copy link
Member

bsipocz commented Jul 31, 2023

done. Code style failures are all unrelated. Did you enable more aggressive checks recently? I'll be happy to fix them, as they're all easy, but they don't apply to this PR

Nope no recent updates, I suppose it maybe due to a flake8 version change? Agree to address it separately.

@bsipocz
Copy link
Member

bsipocz commented Jul 31, 2023

Either case, it's annoying that the rest of the tests are cancelled, so I'll remove that separately, too.

@keflavich @bsipocz
wrap filenames in os.path.basename to prevent possible security exploit
9da4965 
add missing os import, fix a whitespace error

basename on esasky paths too
@bsipocz bsipocz merged commit 4617173 into astropy:main Jul 31, 2023
@bsipocz
Copy link
Member

bsipocz commented Jul 31, 2023

Thanks @keflavich!

@keflavich keflavich deleted the issue2777 branch July 31, 2023 19:05
@eerovaher
Copy link
Member

The title of this pull request says that it fixes #2777, but the issue is still open despite the pull request being merged. Should the issue be closed or is the title here wrong?

@bsipocz
Copy link
Member

bsipocz commented Sep 15, 2023

Issue #2777 has other components that haven't been addressed here, thus it is still open.

@eerovaher
Copy link
Member

In that case it would be good to rename this pull request so that it wouldn't be misleading.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ceb8 ceb8 ceb8 approved these changes

@bsipocz bsipocz bsipocz approved these changes

Assignees
No one assigned
Labels
no-changelog-entry-needed
Projects
None yet
Milestone
v0.4.7
Development

Successfully merging this pull request may close these issues.
4 participants
@keflavich @bsipocz @eerovaher @ceb8