Merge pull request #42948 from Ch3LL/2017.7.0_follow_up

[2017.7.1] Add clean_id function to salt.utils.verify.py

doc/topics/releases/2017.7.1.rst

@@ -4,6 +4,13 @@ Salt 2017.7.1 Release Notes
 
 Version 2017.7.1 is a bugfix release for :ref:`2017.7.0 <release-2017-7-0>`.
 
+Security Fix
+============
+
+CVE-2017-12791 Maliciously crafted minion IDs can cause unwanted directory traversals on the Salt-master
+
+Correct a flaw in minion id validation which could allow certain minions to authenticate to a master despite not having the correct credentials. To exploit the vulnerability, an attacker must create a salt-minion with an ID containing characters that will cause a directory traversal. Credit for discovering the security flaw goes to: Vernhk@qq.com
+
 Changes for v2017.7.0..v2017.7.1
 --------------------------------
 

salt/utils/verify.py

@@ -480,12 +480,21 @@ def clean_path(root, path, subdir=False):
     return ''
 
 
+def clean_id(id_):
+    '''
+    Returns if the passed id is clean.
+    '''
+    if re.search(r'\.\.\{sep}'.format(sep=os.sep), id_):
+        return False
+    return True
+
+
 def valid_id(opts, id_):
     '''
     Returns if the passed id is valid
     '''
     try:
-        return bool(clean_path(opts['pki_dir'], id_))
+        return bool(clean_path(opts['pki_dir'], id_)) and clean_id(id_)
     except (AttributeError, KeyError, TypeError) as e:
         return False