Bug 1215034 (CVE-2015-3163)

Summary: anonymous users can modify key types and power types
Product: [Retired] Beaker Reporter: Dan Callaghan <dcallagh>
Component: generalAssignee: matt jia <mjia>
Status: CLOSED CURRENTRELEASE QA Contact: tools-bugs <tools-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: aigao, asaha, dcallagh, dowang, ebaak, huiwang, ineilsen, jskeoch, junichi.nomura, kueda, lzhuang, mjia, naoya.horiguchi, pen-test, rpotts, security-response-team, tatsu-ab1, tflink
Target Milestone: 20.1Keywords: Patch, Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-05-08 04:05:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1215894    
Attachments:
Description Flags
proposed patch
none
proposed patch
none
proposed patch dcallagh: review+

Description Dan Callaghan 2015-04-24 07:34:12 UTC 
Description of problem:
The admin pages for key types and power types do not perform any access checks. An authenticated user can visit these URLs directly (they do not appear in the menu for non-admins) and modify power types and key types.

Version-Release number of selected component (if applicable):
probably all Beaker versions

How reproducible:
easily

Steps to Reproduce:
1. Go to $BEAKER/powertypes/ without logging in
2. Create or remove power types
3. Go to $BEAKER/keytypes/ without logging in
4. Create or remove key types

Actual results:
All operations are allowed.

Expected results:
We can probably allow anonymous users to list the key types and power types as this would be generally useful (and is not sensitive information). However modifications should not be permitted except by admins.
Comment 1 matt jia 2015-04-30 01:09:49 UTC 
Created attachment 1020383 [details]
proposed patch
Comment 2 matt jia 2015-04-30 01:42:40 UTC 
Created attachment 1020388 [details]
proposed patch
Comment 3 matt jia 2015-04-30 02:20:42 UTC 
Created attachment 1020389 [details]
proposed patch
Comment 6 Hui Wang 2015-05-04 07:25:54 UTC 
Verified this issue.
The result is PASS.
Version: Beaker 20.1.git.5.24dc482

Steps to Reproduce:
1. Go to $BEAKER/powertypes/ without logging in
2. Create or remove power types
3. Go to $BEAKER/keytypes/ without logging in
4. Create or remove key types

Result: server give 403 response.
Comment 7 Dan Callaghan 2015-05-08 04:05:44 UTC 
Beaker 20.1 has been released.