First Last Prev Next    This bug is not in your last search results.
Bug 1469599 - Safe mode rendering does not correctly prevent using symbol to proc calls
Safe mode rendering does not correctly prevent using symbol to proc calls
Status: ON_QA
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Security (Show other bugs)
6.2.0
Unspecified Unspecified
high Severity high (vote)
: GA
: --
Assigned To: Tomer Brisker
Katello QA List
: Security, Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-11 10:22 EDT by Tomer Brisker
Modified: 2017-08-15 16:26 EDT (History)
6 users (show)

See Also:
Fixed In Version: foreman-1.15.3
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Foreman Issue Tracker 20271 None None None 2017-07-11 10:22 EDT

  None (edit)
Description Tomer Brisker 2017-07-11 10:22:33 EDT 
Using methods such as `.each`, a user can pass as an argument a symbol to be called, for example `.each(&:delete)`. 
This allows execution of commands that should be blocked by the jail.
A fix proposal in the safemode gem has been suggested: https://github.com/svenfuchs/safemode/pull/23
Once it is merged we should update our version of the gem to the latest one.
Comment 1 Tomer Brisker 2017-07-11 10:22:39 EDT 
Created from redmine issue http://projects.theforeman.org/issues/20271
Comment 3 pm-sat@redhat.com 2017-07-11 12:10:34 EDT 
Upstream bug assigned to tbrisker@redhat.com
Comment 4 pm-sat@redhat.com 2017-07-11 12:10:37 EDT 
Upstream bug assigned to tbrisker@redhat.com
Comment 5 pm-sat@redhat.com 2017-07-11 14:10:37 EDT 
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/20271 has been resolved.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.