Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package zola for openSUSE:Factory checked in at 2023-08-15 16:40:09 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/zola (Old) and /work/SRC/openSUSE:Factory/.zola.new.11712 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "zola" Tue Aug 15 16:40:09 2023 rev:9 rq:1103952 version:0.17.2 Changes: -------- --- /work/SRC/openSUSE:Factory/zola/zola.changes 2023-04-21 20:17:08.822358894 +0200 +++ /work/SRC/openSUSE:Factory/.zola.new.11712/zola.changes 2023-08-15 16:40:15.491090145 +0200 @@ -1,0 +2,10 @@ +Tue Aug 15 04:00:16 UTC 2023 - Soc Virnyl Estela <[email protected]> + +- Add 0001-fix-life-in-zola-serve.patch to address bsc#1214237 + +------------------------------------------------------------------- +Sun Aug 13 13:26:54 UTC 2023 - Soc Virnyl Estela <[email protected]> + +- Replace obsoleted `disabled` option with `manual` + +------------------------------------------------------------------- New: ---- 0001-fix-life-in-zola-serve.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ zola.spec ++++++ --- /var/tmp/diff_new_pack.il5m8R/_old 2023-08-15 16:40:16.451096692 +0200 +++ /var/tmp/diff_new_pack.il5m8R/_new 2023-08-15 16:40:16.455096719 +0200 @@ -25,6 +25,7 @@ Source0: %{name}-%{version}.tar.zst Source1: vendor.tar.zst Source2: cargo_config +Patch1: https://github.com/getzola/zola/pull/2258.patch#/0001-fix-life-in-zola-serve.patch BuildRequires: c++_compiler BuildRequires: c_compiler BuildRequires: cargo-packaging @@ -40,7 +41,7 @@ a strongly defined, highly compatible specification of Markdown. %prep -%autosetup -a1 +%autosetup -a1 -p1 mkdir .cargo cp %{SOURCE2} .cargo/config ++++++ 0001-fix-life-in-zola-serve.patch ++++++ >From 8d514e8bebeaa73393450fc386c01aec35bfe8a4 Mon Sep 17 00:00:00 2001 From: adeadfed <[email protected]> Date: Mon, 24 Jul 2023 18:41:23 +0200 Subject: [PATCH 1/2] use fs canonicalize to prevent path traversal --- src/cmd/serve.rs | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/cmd/serve.rs b/src/cmd/serve.rs index 52b1d585b..e102e90d0 100644 --- a/src/cmd/serve.rs +++ b/src/cmd/serve.rs @@ -116,6 +116,14 @@ async fn handle_request(req: Request<Body>, mut root: PathBuf) -> Result<Respons // otherwise `PathBuf` will interpret it as an absolute path root.push(&decoded[1..]); + // Resolve the root + user supplied path into the absolute path + // this should hopefully remove any path traversals + // if we fail to resolve path, we should return 404 + root = match tokio::fs::canonicalize(&root).await { + Ok(d) => d, + Err(_) => return Ok(not_found()) + }; + // Ensure we are only looking for things in our public folder if !root.starts_with(original_root) { return Ok(not_found()); >From 219fe9bed1d2aae5c6b57b2017cce8956ce62cf7 Mon Sep 17 00:00:00 2001 From: Maksym Vatsyk <[email protected]> Date: Mon, 24 Jul 2023 23:38:47 +0200 Subject: [PATCH 2/2] fix cargo fmt --- src/cmd/serve.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/cmd/serve.rs b/src/cmd/serve.rs index e102e90d0..a6e906cb0 100644 --- a/src/cmd/serve.rs +++ b/src/cmd/serve.rs @@ -121,9 +121,9 @@ async fn handle_request(req: Request<Body>, mut root: PathBuf) -> Result<Respons // if we fail to resolve path, we should return 404 root = match tokio::fs::canonicalize(&root).await { Ok(d) => d, - Err(_) => return Ok(not_found()) + Err(_) => return Ok(not_found()), }; - + // Ensure we are only looking for things in our public folder if !root.starts_with(original_root) { return Ok(not_found()); ++++++ _service ++++++ --- /var/tmp/diff_new_pack.il5m8R/_old 2023-08-15 16:40:16.499097019 +0200 +++ /var/tmp/diff_new_pack.il5m8R/_new 2023-08-15 16:40:16.503097047 +0200 @@ -1,5 +1,5 @@ <services> - <service mode="disabled" name="obs_scm"> + <service mode="manual" name="obs_scm"> <param name="url">https://github.com/getzola/zola</param> <param name="versionformat">@PARENT_TAG@</param> <param name="scm">git</param> @@ -9,18 +9,18 @@ <param name="changesgenerate">enable</param> <param name="changesauthor">[email protected]</param> </service> - <service mode="disabled" name="tar" /> - <service mode="disabled" name="recompress"> + <service mode="manual" name="tar" /> + <service mode="manual" name="recompress"> <param name="file">*.tar</param> <param name="compression">zstd</param> </service> - <service mode="disabled" name="set_version"/> - <service name="cargo_vendor" mode="disabled"> + <service mode="manual" name="set_version"/> + <service name="cargo_vendor" mode="manual"> <param name="srcdir">zola</param> <param name="compression">zst</param> <param name="update">true</param> </service> - <service name="cargo_audit" mode="disabled"> + <service name="cargo_audit" mode="manual"> <param name="srcdir">zola</param> </service> </services>
