Commit 33b810a0 authored by Lucas Kanashiro's avatar Lucas Kanashiro

Add patch fixing CVE-2018-12479. Closes #911797

parent 0889254c
Description: Prevent creation of a request with an ID attribute
Fixes CVE-2018-12479. This patch was backported from upstream:
https://github.com/openSUSE/open-build-service/pull/5880/files
Author: Lucas Kanashiro <kanashiro@debian.org>
Last-Updated: 2019-02-04
--- a/src/api/app/controllers/request_controller.rb
+++ b/src/api/app/controllers/request_controller.rb
@@ -21,6 +21,10 @@ class RequestController < ApplicationCon
setup 404, 'This call requires at least one filter, either by user, project or package or states or types or reviewstates'
end
+ class SaveError < APIError
+ setup 'request_save_error'
+ end
+
def render_request_collection
# if all params areblank, something is wrong
raise RequireFilter if [:project, :user, :states, :types, :reviewstates, :ids].all? { |f| params[f].blank? }
@@ -142,7 +146,12 @@ class RequestController < ApplicationCon
def request_create
xml = nil
BsRequest.transaction do
- @req = BsRequest.new_from_xml(request.raw_post.to_s)
+ parsed_xml = Xmlhash.parse(request.raw_post.to_s)
+
+ raise SaveError, 'Failed parsing the request xml' unless parsed_xml
+ raise SaveError, 'Request ID attribute not allowed when creating a request' if parsed_xml['id']
+
+ @req = BsRequest.new_from_hash(parsed_xml)
@req.set_add_revision if params[:addrevision].present?
@req.set_ignore_build_state if params[:ignore_build_state].present?
@req.save!
--- a/src/api/app/models/bs_request.rb
+++ b/src/api/app/models/bs_request.rb
@@ -149,7 +149,10 @@ class BsRequest < ApplicationRecord
hashed = Xmlhash.parse(xml)
raise SaveError, 'Failed parsing the request xml' unless hashed
+ new_from_hash(hashed)
+ end
+ def self.new_from_hash(hashed)
if hashed['id']
theid = hashed.delete('id') { raise 'not found' }
theid = Integer(theid)
CVE-2018-12479.patch
Do-not-load-external-js-in-runtime.patch
use-ruby2.5.patch
database.yml-settings.patch
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment