Jan Rusnacko of Red Hat reports: Katello code exposes potential to_sym Denial of Service attack vector from user input parameters. The two places identified are: https://github.com/Katello/katello/blob/9231e24f93fa804e557fc95637cfa2c5bb92f6a7/app/controllers/katello/content_search_controller.rb#L617 https://github.com/Katello/katello/blob/9231e24f93fa804e557fc95637cfa2c5bb92f6a7/app/controllers/katello/api/api_controller.rb#L87 This type of attack is documented here - http://docs.fedoraproject.org/en-US/Fedora_Security_Team/1/html/Secure_Ruby_Development_Guide/RubySymbols.html This has been confirmed in testing by Eric Helms of Red Hat.
*** Bug 1153824 has been marked as a duplicate of this bug. ***
Acknowledgements: This issue was discovered by Jan Rusnacko of Red Hat Product Security.
Created redmine issue http://projects.theforeman.org/issues/8263 from this bug