Project

General

Profile

Bug #7483

CVE-2014-3653 - Provisioning Templates Preview mode strips out text like <<FOO

Added by Aaron Stone over 8 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Aaron Stone
Category:
Security
Target version:
1.6.1
Difficulty:
Triaged:
Bugzilla link:
Pull request:
https://github.com/theforeman/foreman/pull/1778
Fixed in Releases:
Found in Releases:
1.6.0
Red Hat JIRA:

Description

I have Foreman 1.5.1. I will try to test this against 1.5.2 and 1.6.0, but if someone else can test it first that would be grand.

Steps to reproduce:

In Provisioning Templates, click New Template.
Put this into the code box:

test <<FOO > bar

Hello World

FOO

click Preview
click Code

Now the contents are:
test < bar

Hello World

FOO

That's a pretty big problem for templates that want to use shell redirection!

Related issues

Related to Foreman - Bug #8133: template diffs don't get displayed anymoreClosed2014-10-28

Associated revisions

Revision cafa9477 (diff)
Added by Aaron Stone over 8 years ago

Fixes #7483 - Use hidden input value to hold raw template contents (CVE-2014-3653)

Revision 159499bd (diff)
Added by Aaron Stone over 8 years ago

Fixes #7483 - Use hidden input value to hold raw template contents (CVE-2014-3653)

(cherry picked from commit cafa94774b18d54304f031bbf4f7d1a15fc87b3d)

History

#1 Updated by Aaron Stone over 8 years ago

Tested, this does affect Foreman 1.5.2 and 1.6.0.

I posted screenshots of this bug in action here: https://github.com/sodabrew/foreman/issues/1

#2 Updated by Dominic Cleal over 8 years ago

  • Category set to Security
  • Status changed from New to Assigned
  • Assignee set to Aaron Stone
  • Target version set to 1.7.3
  • Legacy Backlogs Release (now unused) set to 22

Thanks for the report. This has a security impact as it seems to be rendered as HTML, we're getting a CVE assigned. Please go ahead and submit your fix, we'll get it into 1.6.1.

#3 Updated by The Foreman Bot over 8 years ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/1777 added
  • Pull request deleted ()

#4 Updated by Dominic Cleal over 8 years ago

  • Pull request https://github.com/theforeman/foreman/pull/1778 added
  • Pull request deleted (https://github.com/theforeman/foreman/pull/1777)

#5 Updated by Dominic Cleal over 8 years ago

  • Subject changed from Provisioning Templates Preview mode strips out text like <<FOO to CVE-2014-3653 - Provisioning Templates Preview mode strips out text like <<FOO

#6 Updated by Aaron Stone over 8 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#7 Updated by Anonymous over 8 years ago

  • Related to Bug #8133: template diffs don't get displayed anymore added

Also available in: Atom PDF