CVE-2014-3712 Katello: user parameters passed to to_sym
|Target version:||Katello 2.1|
|Triaged:||Yes||Fixed in Releases:|
|Bugzilla link:||1155708||Found in Releases:|
Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1155708
Jan Rusnacko of Red Hat reports:
Katello code exposes potential to_sym Denial of Service attack vector from user input parameters. The two places identified are:
This type of attack is documented here - http://docs.fedoraproject.org/en-US/Fedora_Security_Team/1/html/Secure_Ruby_Development_Guide/RubySymbols.html
This has been confirmed in testing by Eric Helms of Red Hat.
Fixes #8263: Remove usage of to_sym on user input params.
Addresses CVE-2014-3712, whereby two locations in the code turn user
input into symbols and allow potential DoS attacks by an authenticated user.
The first location, content search params, was turned from symbol matching
into string matching to avoid the to_sym conversion. The second location
involves the use of the Rails action param. While this should be guarded
by the internals of Rails, the code was changed to only perform the to_sym
if the params[:action] parameter exists within the application by doing
the respond_to? check prior to the to_sym in the send.