Attention is currently required from: dexter, laforge, neels, osmith.

Hoernchen has posted comments on this change by dexter. ( https://gerrit.osmocom.org/c/pysim/+/42625?usp=email )

Change subject: osmo-smdpp.py: fix path Traversal Bypass in SM-DP+ (CWE-22) ......................................................................

Patch Set 1: Code-Review-2

(2 comments)

Patchset:

PS1: The fix is literally commonprefix -> commonpath, but the LLM security spam didn't even get that right.

File osmo-smdpp.py:

https://gerrit.osmocom.org/c/pysim/+/42625/comment/64d8e164_5044250e?usp=ema... : PS1, Line 643: if os.path.commonprefix((os.path.realpath(path),self.upp_dir)) != self.upp_dir:

Thanks for testing this. I didn't test it. I trusted the report as it seemed plausible. […]

Olivers test misses the actual issue. 1) realpath in the actual code strips the trailing slash for both paths which makes all the difference here precisely because the commonprefix matches chars and not path parts 2) passwd is not a sibling dir, it only works for a sibling dir.