Bug #7483
closed
CVE-2014-3653 - Provisioning Templates Preview mode strips out text like <<FOO
Description
I have Foreman 1.5.1. I will try to test this against 1.5.2 and 1.6.0, but if someone else can test it first that would be grand.
Steps to reproduce:
In Provisioning Templates, click New Template.
Put this into the code box:
test <<FOO > bar
Hello World
FOO
click Preview
click Code
Now the contents are:
test < bar
Hello World
FOO
That's a pretty big problem for templates that want to use shell redirection!
Updated by Aaron Stone about 10 years ago
Tested, this does affect Foreman 1.5.2 and 1.6.0.
I posted screenshots of this bug in action here: https://github.com/sodabrew/foreman/issues/1
Updated by Dominic Cleal about 10 years ago
- Category set to Security
- Status changed from New to Assigned
- Assignee set to Aaron Stone
- Target version set to 1.7.3
- Translation missing: en.field_release set to 22
Thanks for the report. This has a security impact as it seems to be rendered as HTML, we're getting a CVE assigned. Please go ahead and submit your fix, we'll get it into 1.6.1.
Updated by The Foreman Bot about 10 years ago
- Status changed from Assigned to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/1777 added
- Pull request deleted (
)
Updated by Dominic Cleal about 10 years ago
- Pull request https://github.com/theforeman/foreman/pull/1778 added
- Pull request deleted (
https://github.com/theforeman/foreman/pull/1777)
Updated by Dominic Cleal about 10 years ago
- Subject changed from Provisioning Templates Preview mode strips out text like <<FOO to CVE-2014-3653 - Provisioning Templates Preview mode strips out text like <<FOO
Updated by Aaron Stone about 10 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset cafa94774b18d54304f031bbf4f7d1a15fc87b3d.
Updated by Anonymous about 10 years ago
- Related to Bug #8133: template diffs don't get displayed anymore added