Commit 553f1c1d authored by Michael Hanselmann's avatar Michael Hanselmann
Browse files

Disallow uploading job queue files through upload_file

The job queue is now updated through its own RPC functions.

Reviewed-by: iustinp
parent 9f774ee8
......@@ -1026,9 +1026,6 @@ def FindBlockDevice(disk):
return rbd
return (rbd.dev_path, rbd.major, rbd.minor) + rbd.GetSyncStatus()
def _IsJobQueueFile(file_name):
queue_dir = os.path.normpath(constants.QUEUE_DIR)
return os.path.commonprefix([queue_dir, file_name]) == queue_dir
def UploadFile(file_name, data, mode, uid, gid, atime, mtime):
"""Write a file to the filesystem.
......@@ -1050,7 +1047,7 @@ def UploadFile(file_name, data, mode, uid, gid, atime, mtime):
]
allowed_files.extend(ssconf.SimpleStore().GetFileList())
if not (file_name in allowed_files or _IsJobQueueFile(file_name)):
if file_name not in allowed_files:
logging.error("Filename passed to UploadFile not in allowed"
" upload targets: '%s'", file_name)
return False
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment