Red Hat Bugzilla – Bug 1469599
Safe mode rendering does not correctly prevent using symbol to proc calls
Last modified: 2017-08-15 16:26:59 EDT
Using methods such as `.each`, a user can pass as an argument a symbol to be called, for example `.each(&:delete)`.
This allows execution of commands that should be blocked by the jail.
A fix proposal in the safemode gem has been suggested: https://github.com/svenfuchs/safemode/pull/23
Once it is merged we should update our version of the gem to the latest one.
Created from redmine issue http://projects.theforeman.org/issues/20271
Upstream bug assigned to email@example.com
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/20271 has been resolved.