Bug 960363 (CVE-2013-2060) - CVE-2013-2060 OpenShift: Potential remote command execution vulnerability in download cart url
Summary: CVE-2013-2060 OpenShift: Potential remote command execution vulnerability in ...
Alias: CVE-2013-2060
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 958928
TreeView+ depends on / blocked
Reported: 2013-05-07 06:06 UTC by Kurt Seifried
Modified: 2019-09-29 13:04 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-05-07 18:24:06 UTC

Attachments (Terms of Use)

Description Kurt Seifried 2013-05-07 06:06:30 UTC
Clayton Coleman reports:

Never use the ` form in ruby when the variables aren't known to be safe values

  def self.download_from_url(url)
    max_dl_time = (Rails.application.config.downloaded_cartridges[:max_download_time] rescue 10) || 10
    max_file_size = (Rails.application.config.downloaded_cartridges[:max_cart_size] rescue 20480) || 20480
    max_redirs = (Rails.application.config.downloaded_cartridges[:max_download_redirects] rescue 2) || 2
    `curl --max-time #{max_dl_time} --connect-timeout 2 --location --max-redirs #{max_redirs} --max-filesize #{max_file_size} -k #{url}`

If 'URL' is not properly validated, then someone could inject " ; rm -rf /*"

In this method, URL needs to be a properly formatted URI with a known whitelist of parameters.

In addition, we should only accept URI's that are of the following whitelisted criteria:

Parses URI successfully
Protocol is 'http', 'https', 'git', 'ftp' (I can't think of others that are really safe).  'file' should NOT be allowed
Host must be specified, and be non localhost (otherwise you allow a local injection attack).  We need to be very careful here not to allow probing of the internal network, so we should only allow addresses that resolve outside of the exsrvs.  
Port should be valid
Path should be valid

If the URI does not meet these criteria an error message should be returned to the user.

Note You need to log in before you can comment on or make changes to this bug.