Bug #8263

CVE-2014-3712 Katello: user parameters passed to to_sym

Added by Eric Helms about 3 years ago. Updated about 3 years ago.

Status:Closed
Priority:Low
Assigned To:-
Category:-
Target version:Sprint 40
Difficulty: Pull request:https://github.com/Katello/katello/pull/4802
Bugzilla link:1155708
Story points-
Velocity based estimate-
ReleaseKatello 2.1Release relationshipAuto

Description

Associated revisions

Revision fc5ccc59
Added by Eric Helms about 3 years ago

Fixes #8263: Remove usage of to_sym on user input params.

Addresses CVE-2014-3712, whereby two locations in the code turn user
input into symbols and allow potential DoS attacks by an authenticated user.

The first location, content search params, was turned from symbol matching
into string matching to avoid the to_sym conversion. The second location
involves the use of the Rails action param. While this should be guarded
by the internals of Rails, the code was changed to only perform the to_sym
if the params[:action] parameter exists within the application by doing
the respond_to? check prior to the to_sym in the send.

Revision 5e8f9721
Added by Eric D Helms about 3 years ago

Merge pull request #4802 from ehelms/fixes-8263

Fixes #8263: Remove usage of to_sym on user input params.

History

#1 Updated by The Foreman Bot about 3 years ago

  • Status changed from New to Ready For Testing
  • Target version set to Sprint 39
  • Pull request https://github.com/Katello/katello/pull/4802 added

#2 Updated by Eric Helms about 3 years ago

  • Target version changed from Sprint 39 to Sprint 40

#3 Updated by Eric Helms about 3 years ago

  • Release set to Katello 2.1
  • Triaged changed from No to Yes

#4 Updated by Eric Helms about 3 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

Also available in: Atom PDF