Headline
CVE-2016-3693: Remove `inspect` from allowed methods · theforeman/safemode@0f764a1
A flaw was found in the provisioning template handling in foreman. An attacker, with permissions to create templates, can cause internal Rails information to be displayed when it is processed, resulting in potentially sensitive information being disclosed.
@@ -19,15 +19,15 @@ def test_sending_to_jail_to_an_object_should_return_a_jail end
def test_jail_instances_should_have_limited_methods expected = ["class", "inspect", "method_missing", "methods", "respond_to?", "respond_to_missing?", "to_jail", "to_s", “instance_variable_get”] expected = ["class", "method_missing", "methods", "respond_to?", "respond_to_missing?", "to_jail", "to_s", “instance_variable_get”] expected.delete(‘respond_to_missing?’) if RUBY_VERSION > ‘1.9.3’ # respond_to_missing? is private in rubies above 1.9.3 objects.each do |object| assert_equal expected.sort, reject_pretty_methods(object.to_jail.methods.map(&:to_s).sort) end end
def test_jail_classes_should_have_limited_methods expected = ["new", "methods", "name", "inherited", "method_added", "inspect", expected = ["new", "methods", "name", "inherited", "method_added", "allow", "allowed?", "allowed_methods", "init_allowed_methods", "<", # < needed in Rails Object#subclasses_of "ancestors", “==” # ancestors and == needed in Rails::Generator::Spec#lookup_class
Related news
Cross-site scripting (XSS) vulnerability in the search auto-completion functionality in Foreman before 1.4.4 allows remote authenticated users to inject arbitrary web script or HTML via a crafted key name.