[rpms/python-wsgidav] epel9: Backport fix for CVE-2026-48099

public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed

* [rpms/python-wsgidav] epel9: Backport fix for CVE-2026-48099
@ 2026-05-31 18:39 Benjamin A. Beasley
  0 siblings, 0 replies; only message in thread
From: Benjamin A. Beasley @ 2026-05-31 18:39 UTC (permalink / raw)
  To: git-commits

A new commit has been pushed.

Repo   : rpms/python-wsgidav
Branch : epel9
Commit : a603db98854a6ccddf64639883ceb7c688f48ee0
Author : Benjamin A. Beasley <code@musicinmybrain.net>
Date   : 2026-05-31T19:37:52+01:00
Stats  : +26/-1 in 2 file(s)
URL    : https://src.fedoraproject.org/rpms/python-wsgidav/c/a603db98854a6ccddf64639883ceb7c688f48ee0?branch=epel9

Log:
Backport fix for CVE-2026-48099

---
diff --git a/python-wsgidav.spec b/python-wsgidav.spec
index 1b345c7..b10cd2f 100644
--- a/python-wsgidav.spec
+++ b/python-wsgidav.spec
@@ -27,7 +27,11 @@ Source1:        wsgidav.1
 #
 # Cannot import wsgidav.dav_error: raises ImportError due to circular import
 # https://github.com/mar10/wsgidav/issues/340#event-17603260087
-Patch:         %{url}/commit/991a23f5f5f3f46232eacd96666e23c1b5e110b5.patch
+Patch0:         %{url}/commit/991a23f5f5f3f46232eacd96666e23c1b5e110b5.patch
+# Fix CVE-2026-48099
+# https://github.com/mar10/wsgidav/commit/f894ed8656d7bdd7438ab8148c5a02546cb15183
+# Without changelog entry, to avoid merge conflicts
+Patch1:         wsgidav-4.3.3-CVE-2026-48099.patch
 
 BuildArch:      noarch
 

diff --git a/wsgidav-4.3.3-CVE-2026-48099.patch b/wsgidav-4.3.3-CVE-2026-48099.patch
new file mode 100644
index 0000000..b07318d
--- /dev/null
+++ b/wsgidav-4.3.3-CVE-2026-48099.patch
@@ -0,0 +1,21 @@
+diff --git a/wsgidav/fs_dav_provider.py b/wsgidav/fs_dav_provider.py
+index de9b00c7..7b2b7c14 100644
+--- a/wsgidav/fs_dav_provider.py
++++ b/wsgidav/fs_dav_provider.py
+@@ -457,9 +457,14 @@ def _loc_to_file_path(self, path: str, environ: dict = None):
+         # Try alternative URL if not found (or even override target):
+         is_shadow, file_path = self._resolve_shadow_path(path, environ, file_path)
+ 
+-        if not file_path.startswith(root_path) and not is_shadow:
++        # Ensure the containment check is path-boundary-aware: append os.sep so
++        # that a sibling directory (e.g. /tmp/share_evil) whose name *starts with*
++        # root_path (/tmp/share) is correctly rejected.
++        root_path_with_sep = root_path.rstrip(os.sep) + os.sep
++        file_path_with_sep = file_path.rstrip(os.sep) + os.sep
++        if not file_path_with_sep.startswith(root_path_with_sep) and not is_shadow:
+             raise RuntimeError(
+-                f"Security exception: tried to access file outside root: {file_path}"
++                f"Security exception: tried to access file outside root {root_path}: {file_path}"
+             )
+ 
+         # Convert to unicode

^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2026-05-31 18:39 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-05-31 18:39 [rpms/python-wsgidav] epel9: Backport fix for CVE-2026-48099 Benjamin A. Beasley

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox