mirror of
https://github.com/theupdateframework/python-tuf
synced 2026-05-24 10:08:28 +00:00
94ed456b05
If an attacker manages to create arbitrary rolenames they could trick the client into writing metadata files into unexpected locations: To avoid directory traversal and writing files into unexpected locations, encode the rolename before using it as filename. If a client has delegated targets metadata with rolenames that have percent-encoded characters in them, these metadata will now not be found in local metadata cache and must be re-downloaded. Note that this does not mean using rolenames that get encoded is advisable (as forming the download URLs still has issues with them), this just means the client will not do unsafe writes when it encounters rolenames like this. Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com> |
||
|---|---|---|
| .. | ||
| _internal | ||
| __init__.py | ||
| config.py | ||
| fetcher.py | ||
| README.md | ||
| updater.py | ||
Next-gen TUF client for Python
This package provides modules for TUF client implementers.
tuf.ngclient.Updater is a class that implements the client workflow described in the TUF specification (see https://theupdateframework.github.io/specification/latest/#detailed-client-workflow)
tuf.ngclient.FetcherInterface is an abstract class that client implementers can implement a concrete class of in order to reuse their own networking/download libraries -- a Requests-based implementation is used by default.
This package:
- Aims to be a clean, easy-to-validate reference client implementation written in modern Python
- At the same time aims to be the library of choice for anyone implementing a TUF client in Python: light-weight, easy to integrate and with minimal required dependencies
- Is still under development but is planned to become the default client
in this implementation (i.e., the older
tuf.clientwill be deprecated in the future)