Headline
CVE-2017-1002153: Issue #563: Possible to bypass allowed_scm blacklist - koji
Koji 1.13.0 does not properly validate SCM paths, allowing an attacker to work around blacklisted paths for build submission.
Retrying attach…
Thanks, looks fine. I’ll merge this before 1.14
Metadata Update from @mikem:
- Issue set to the milestone: 1.14
5 years ago
This issue has been assigned CVE-2017-1002153.
The previous patch adjusts some checks, extends the unit tests to cover the sorts of urls we’re concerned with, and preserves our code coverage.
It also catches paths starting with //, which normpath for some reason does not.
This patch looks good to me.
Metadata Update from @mikem:
- Issue private status set to: False (was: True)
5 years ago
Login to comment on this ticket.