public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
From: Benjamin A. Beasley <code@musicinmybrain.net>
To: git-commits@fedoraproject.org
Subject: [rpms/python-wsgidav] epel9: Backport fix for CVE-2026-48099
Date: Sun, 31 May 2026 18:39:50 GMT [thread overview]
Message-ID: <178025279014.1.14966136390713601080.rpms-python-wsgidav-a603db98854a@fedoraproject.org> (raw)
A new commit has been pushed.
Repo : rpms/python-wsgidav
Branch : epel9
Commit : a603db98854a6ccddf64639883ceb7c688f48ee0
Author : Benjamin A. Beasley <code@musicinmybrain.net>
Date : 2026-05-31T19:37:52+01:00
Stats : +26/-1 in 2 file(s)
URL : https://src.fedoraproject.org/rpms/python-wsgidav/c/a603db98854a6ccddf64639883ceb7c688f48ee0?branch=epel9
Log:
Backport fix for CVE-2026-48099
---
diff --git a/python-wsgidav.spec b/python-wsgidav.spec
index 1b345c7..b10cd2f 100644
--- a/python-wsgidav.spec
+++ b/python-wsgidav.spec
@@ -27,7 +27,11 @@ Source1: wsgidav.1
#
# Cannot import wsgidav.dav_error: raises ImportError due to circular import
# https://github.com/mar10/wsgidav/issues/340#event-17603260087
-Patch: %{url}/commit/991a23f5f5f3f46232eacd96666e23c1b5e110b5.patch
+Patch0: %{url}/commit/991a23f5f5f3f46232eacd96666e23c1b5e110b5.patch
+# Fix CVE-2026-48099
+# https://github.com/mar10/wsgidav/commit/f894ed8656d7bdd7438ab8148c5a02546cb15183
+# Without changelog entry, to avoid merge conflicts
+Patch1: wsgidav-4.3.3-CVE-2026-48099.patch
BuildArch: noarch
diff --git a/wsgidav-4.3.3-CVE-2026-48099.patch b/wsgidav-4.3.3-CVE-2026-48099.patch
new file mode 100644
index 0000000..b07318d
--- /dev/null
+++ b/wsgidav-4.3.3-CVE-2026-48099.patch
@@ -0,0 +1,21 @@
+diff --git a/wsgidav/fs_dav_provider.py b/wsgidav/fs_dav_provider.py
+index de9b00c7..7b2b7c14 100644
+--- a/wsgidav/fs_dav_provider.py
++++ b/wsgidav/fs_dav_provider.py
+@@ -457,9 +457,14 @@ def _loc_to_file_path(self, path: str, environ: dict = None):
+ # Try alternative URL if not found (or even override target):
+ is_shadow, file_path = self._resolve_shadow_path(path, environ, file_path)
+
+- if not file_path.startswith(root_path) and not is_shadow:
++ # Ensure the containment check is path-boundary-aware: append os.sep so
++ # that a sibling directory (e.g. /tmp/share_evil) whose name *starts with*
++ # root_path (/tmp/share) is correctly rejected.
++ root_path_with_sep = root_path.rstrip(os.sep) + os.sep
++ file_path_with_sep = file_path.rstrip(os.sep) + os.sep
++ if not file_path_with_sep.startswith(root_path_with_sep) and not is_shadow:
+ raise RuntimeError(
+- f"Security exception: tried to access file outside root: {file_path}"
++ f"Security exception: tried to access file outside root {root_path}: {file_path}"
+ )
+
+ # Convert to unicode
reply other threads:[~2026-05-31 18:39 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=178025279014.1.14966136390713601080.rpms-python-wsgidav-a603db98854a@fedoraproject.org \
--to=code@musicinmybrain.net \
--cc=git-commits@fedoraproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox