CVE-2014-3653 - Provisioning Templates Preview mode strips out text like <<FOO
|Assigned To:||Aaron Stone|
|Target version:||Sprint 29|
|Found in release:||1.6.0||Pull request:||https://github.com/theforeman/foreman/pull/1778|
|Velocity based estimate||-|
I have Foreman 1.5.1. I will try to test this against 1.5.2 and 1.6.0, but if someone else can test it first that would be grand.
Steps to reproduce:
In Provisioning Templates, click New Template.
Put this into the code box:
test <<FOO > bar
Now the contents are:
test < bar
That's a pretty big problem for templates that want to use shell redirection!
Fixes #7483 - Use hidden input value to hold raw template contents (CVE-2014-3653)
#2 Updated by Dominic Cleal about 3 years ago
- Category set to Security
- Status changed from New to Assigned
- Assigned To set to Aaron Stone
- Target version set to Sprint 29
- Release set to 1.6.1
Thanks for the report. This has a security impact as it seems to be rendered as HTML, we're getting a CVE assigned. Please go ahead and submit your fix, we'll get it into 1.6.1.