Bug #8263

CVE-2014-3712 Katello: user parameters passed to to_sym

Added by Eric Helms over 3 years ago. Updated 9 days ago.

Status:Closed
Priority:Low
Assignee:-
Category:-
Target version:Katello 2.1
Difficulty: Team Backlog:
Triaged:Yes Fixed in Releases:
Bugzilla link:1155708 Found in Releases:
Pull request:https://github.com/Katello/katello/pull/4802

Description

Associated revisions

Revision fc5ccc59
Added by Eric Helms over 3 years ago

Fixes #8263: Remove usage of to_sym on user input params.

Addresses CVE-2014-3712, whereby two locations in the code turn user
input into symbols and allow potential DoS attacks by an authenticated user.

The first location, content search params, was turned from symbol matching
into string matching to avoid the to_sym conversion. The second location
involves the use of the Rails action param. While this should be guarded
by the internals of Rails, the code was changed to only perform the to_sym
if the params[:action] parameter exists within the application by doing
the respond_to? check prior to the to_sym in the send.

Revision 5e8f9721
Added by Eric D Helms over 3 years ago

Merge pull request #4802 from ehelms/fixes-8263

Fixes #8263: Remove usage of to_sym on user input params.

History

#1 Updated by The Foreman Bot over 3 years ago

  • Status changed from New to Ready For Testing
  • Target version set to 59
  • Pull request https://github.com/Katello/katello/pull/4802 added

#2 Updated by Eric Helms over 3 years ago

  • Target version changed from 59 to 61

#3 Updated by Eric Helms over 3 years ago

  • Legacy Backlogs Release (now unused) set to 14
  • Triaged changed from No to Yes

#4 Updated by Eric Helms over 3 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

Also available in: Atom PDF