From f65030e88cc3100cb93a1db8c13663acaa5e200c Mon Sep 17 00:00:00 2001 From: Marek Hulan Date: Mon, 29 Jul 2013 13:56:32 +0100 Subject: [PATCH] fixes #2860 - don't convert arbitrary input into symbols (CVE-2013-XXXX) --- app/controllers/hosts_controller.rb | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/app/controllers/hosts_controller.rb b/app/controllers/hosts_controller.rb index 7e4b388..cce4dce 100644 --- a/app/controllers/hosts_controller.rb +++ b/app/controllers/hosts_controller.rb @@ -207,7 +207,7 @@ class HostsController < ApplicationController end def power - return invalid_request if params[:power_action].blank? + return invalid_request unless PowerManager::SUPPORTED_ACTIONS.include? (params[:power_action]) @host.power.send(params[:power_action].to_sym) process_success :success_redirect => :back, :success_msg => _("%{host} is now %{state}") % { :host => @host, :state => _(@host.power.state) } rescue => e @@ -226,13 +226,12 @@ class HostsController < ApplicationController end def ipmi_boot - device = params[:ipmi_device] - begin - @host.ipmi_boot(device) - process_success :success_redirect => :back, :success_msg => _("%{host} now boots from %{device}") % { :host => @host.name, :device => _(BOOT_DEVICES[device.downcase.to_sym] || device) } - rescue => e - process_error :redirect => :back, :error_msg => _("Failed to configure %{host} to boot from %{device}: %{e}") % { :device => _(BOOT_DEVICES[device.downcase.to_sym] || device), :host => @host.name, :e => e } - end + device = params[:ipmi_device] + device_id = BOOT_DEVICES.stringify_keys[device.downcase] || device + @host.ipmi_boot(device) + process_success :success_redirect => :back, :success_msg => _("%{host} now boots from %{device}") % { :host => @host.name, :device => _(device_id) } + rescue => e + process_error :redirect => :back, :error_msg => _("Failed to configure %{host} to boot from %{device}: %{e}") % { :device => _(device_id), :host => @host.name, :e => e } end def console -- 1.8.3.1