CVE-2014-3653 - Provisioning Templates Preview mode strips out text like <<FOO
I have Foreman 1.5.1. I will try to test this against 1.5.2 and 1.6.0, but if someone else can test it first that would be grand.
Steps to reproduce:
In Provisioning Templates, click New Template.
Put this into the code box:
test <<FOO > bar
Now the contents are:
test < bar
That's a pretty big problem for templates that want to use shell redirection!
Updated by Dominic Cleal over 9 years ago
- Category set to Security
- Status changed from New to Assigned
- Assignee set to Aaron Stone
- Target version set to 1.7.3
- translation missing: en.field_release set to 22
Thanks for the report. This has a security impact as it seems to be rendered as HTML, we're getting a CVE assigned. Please go ahead and submit your fix, we'll get it into 1.6.1.