Fixes #36759 - only call allowed transpilers #9836
Conversation
| ['ct', 'fcct'].each do |setting_prefix| | ||
| setting = Setting.where(name: "#{setting_prefix}_command") | ||
| if setting | ||
| setting.value = setting.value.drop(1) |
There was a problem hiding this comment.
this throws away the currently configured path and I did not add code to set up (fc)ct_location as I think an upgrade warning is sufficient.
evgeni
force-pushed
the
i36759
branch
5 times, most recently
from
362e8b2 to
194f979
Compare
|
[test katello] |
Will we need to add a set of installer parameters for this? |
|
We did for sendmail (theforeman/puppet-foreman@6c902a4), so I guess yeah? |
|
hmmm, so the code reads correctly, and works inside the console, but the migration doesn't migrate shit |
Aha! |
CVE-2022-3874: OS command injection via ct_command and fcct_command Instead of allowing to call *any* command by changing a setting, only allow specific paths to ct/fcct. If the user needs a different path, they can set it via settings.yaml.
|
I hate migrations… |
|
[test katello] |
|
release notes: theforeman/theforeman.org#2101 |
|
Just a heads up that this is now being picked up by dependabot as GHSA-9jfq-54vc-9rr2 - if someone can confirm what version this fix is expected to land in, I can prepare a PR to update the advisory with the fixed version :) Actually digging further, I think the GHSA might be wrong - someone has mixed up forman the gem with foreman the .. app (whatever the not-cli is called 😅) I've opened github/advisory-database#2761 requesting the advisory be withdrawn. |
|
@G-Rath thanks. the advisory was withdrawn now. |
CVE-2022-3874: OS command injection via ct_command and fcct_command
Instead of allowing to call any command by changing a setting, only allow specific paths to ct/fcct. If the user needs a different path, they can set it via settings.yaml.