Bug #32753
Updated by Lukas Zapletal over 3 years ago
Sendmail location and arguments, available via Administer - Settings, both accept arbitrary strings and pass them into shell. By default, only Foreman super administrator can access settings. Mitigation: Verify the both settings and remove edit_settings permissions to all roles and users until fixed. Alternatively, create settings named sendmail_location and sendmail_arguments in settings.yaml file to override the UI and make the values read-only. Solution: Limit the possible values for location to just expected paths. Use shellescaping for arguments as there is currently no way to pass arguments to the 'mail' gem in a safely manner.