Project

General

Profile

« Previous | Next » 

Revision 2f3839eb

Added by Joseph Magen almost 11 years ago

  • ID 2f3839eb9928bd04876c2e1bfe509cd9ed120991

fixes #2631 - fix remote code execution via controller name (CVE-2013-2121)
(cherry picked from commit ef4b97d177c58c9532730d53dca0517bc869a0ce)

Conflicts:
app/views/common/_puppetclasses_or_envs_changed.html.erb

View differences:

app/controllers/application_controller.rb
obj = controller_name.singularize
# determine if we are searching for a numerical id or plain name
cond = "find_by_" + ((id =~ /^\d+$/ && (id=id.to_i)) ? "id" : "name")
not_found and return unless eval("@#{obj} = #{obj.camelize}.#{cond}(id)")
not_found and return unless instance_variable_set("@#{obj}", obj.camelize.constantize.send(cond, id))
end
def notice notice
......
end
def process_success hash = {}
hash[:object] ||= eval("@#{controller_name.singularize}")
hash[:object] ||= instance_variable_get("@#{controller_name.singularize}")
hash[:object_name] ||= hash[:object].to_s
unless hash[:success_msg]
hash[:success_msg] = case action_name
......
raise Foreman::Exception.new(N_("Unknown action name for success message: %s"), action_name)
end
end
hash[:success_redirect] ||= eval("#{controller_name}_url")
hash[:success_redirect] ||= send("#{controller_name}_url")
hash[:json_code] = :created if action_name == "create"
return render :json => {:redirect => hash[:success_redirect]} if hash[:redirect_xhr]
......
end
def process_error hash = {}
hash[:object] ||= eval("@#{controller_name.singularize}")
hash[:object] ||= instance_variable_get("@#{controller_name.singularize}")
case action_name
when "create" then hash[:render] ||= "new"
when "update" then hash[:render] ||= "edit"
else
hash[:redirect] ||= eval("#{controller_name}_url")
hash[:redirect] ||= send("#{controller_name}_url")
end
hash[:json_code] ||= :unprocessable_entity
app/controllers/bookmarks_controller.rb
respond_to do |format|
if @bookmark.save
format.html { redirect_to(eval(@bookmark.controller+"_path"), :notice => _('Bookmark was successfully created.')) }
format.html { redirect_to send("#{@bookmark.controller}_path"), :notice => _('Bookmark was successfully created.') }
else
format.html { render :action => "new" }
end
app/controllers/unattended_controller.rb
def load_template_vars
# load the os family default variables
eval "#{@host.os.pxe_type}_attributes"
send "#{@host.os.pxe_type}_attributes"
end
def jumpstart_attributes
app/helpers/application_helper.rb
end
def auto_complete_search(name, val, options = {})
path = eval("#{controller_name}_path")
path = send("#{controller_name}_path")
options.merge!(:class => "autocomplete-input", :'data-url' => "#{path}/auto_complete_#{name}" )
text_field_tag(name, val, options)
end
......
end
def method_path method
eval("#{method}_#{controller_name}_path")
send("#{method}_#{controller_name}_path")
end
def edit_textfield(object, property, options={})
app/helpers/audits_helper.rb
when 'last_login_on'
change.to_s(:short)
when /.*_id$/
model = (eval name.humanize)
model.find(change).to_label
name.humanize.constantize.find(change).to_label
else
change.to_s
end.truncate(50)
app/helpers/common_parameters_helper.rb
return true if authorized_for(controller, action)
operation = "#{action}_my_#{controller.singularize}".to_sym
User.current.allowed_to?(operation) and User.current.send(controller).include?(eval("@#{controller.singularize}"))
User.current.allowed_to?(operation) and User.current.send(controller).include?(instance_variable_get("@#{controller.singularize}"))
end
def parameters_title
app/helpers/home_helper.rb
end
def menu(tab, label, path = nil)
path ||= eval("hash_for_#{tab}_path")
path ||= send("hash_for_#{tab}_path")
return '' unless authorized_for(path[:controller], path[:action] )
content_tag(:li, :class => "menu_tab_#{tab} ") do
link_to_if_authorized(label, path)
......
def allowed_choices choices, action = "index"
choices.map do |opt|
name, kontroller = opt
url = eval("#{kontroller}_url")
url = send("#{kontroller}_url")
authorized_for(kontroller, action) ? [name, url] : nil
end.compact.sort
end
app/helpers/layout_helper.rb
end
def submit_or_cancel f, overwrite = false, args = { }
args[:cancel_path] ||= eval "#{controller_name}_path"
args[:cancel_path] ||= send("#{controller_name}_path")
content_tag(:div, :class => "form-actions") do
text = overwrite ? _("Overwrite") : _("Submit")
options = overwrite ? {:class => "btn btn-danger"} : {:class => "btn btn-primary"}
app/models/bookmark.rb
validates_uniqueness_of :name, :unless => Proc.new{|b| Bookmark.my_bookmarks.where(:name => b.name).empty?}
validates_presence_of :name, :controller, :query
validates_format_of :controller, :with => /\A(\S+)\Z/, :message => N_("can't be blank or contain white spaces.")
validates :controller, :inclusion => {
:in => ["dashboard"] + ActiveRecord::Base.connection.tables.map(&:to_s),
:message => _("%{value} is not a valid controller") }
default_scope lambda { order(:name) }
before_validation :set_default_user
app/views/bookmarks/_list.html.erb
<% if bookmarks.any? -%>
<ul class='dropdown-menu'>
<% bookmarks.each do |bookmark| -%>
<li><%= link_to_if_authorized bookmark.name, eval("hash_for_#{bookmark.controller}_path").merge(:search => bookmark.query) %></li>
<li><%= link_to_if_authorized bookmark.name, send("hash_for_#{bookmark.controller}_path").merge(:search => bookmark.query) %></li>
<% end -%>
</ul>
<% end -%>
app/views/common/_puppetclasses_or_envs_changed.html.erb
<% title _("Changed environments and puppet classes") -%>
<%= form_tag eval("obsolete_and_new_#{controller_name}_path") do -%>
<%= form_tag send("obsolete_and_new_#{controller_name}_path") do -%>
<fieldset>
<legend><%= _("Accept these environment changes found in puppet?") %> </legend>
<table class="table table-striped">
......
</table>
</fieldset>
<div>
<%= link_to _("Cancel"), eval("#{controller_name}_path"), :class => "btn" %>
<%= link_to _("Cancel"), send("#{controller_name}_path"), :class => "btn" %>
<%= submit_tag _("Update"), :class => "btn btn-primary" %>
</div>
<% end -%>
app/views/common/_searchbar.erb
<%= form_tag eval("#{controller_name}_path"), :method => "get", :class=>"form-inline form-search row-fluid" do %>
<%= form_tag send("#{controller_name}_path"), :method => "get", :class=>"form-inline form-search row-fluid" do %>
<div class="btn-toolbar btn-toolbar-condensed">
<div class="btn-group span12">
<div class="span9">
......
<ul class="dropdown-menu pull-right">
<% bookmarks = Bookmark.my_bookmarks.controller(controller_name) %>
<% bookmarks.each do |bookmark| -%>
<li><%= link_to_if_authorized bookmark.name, eval("hash_for_#{bookmark.controller}_path").merge(:search => bookmark.query) %></li>
<li><%= link_to_if_authorized bookmark.name, send("hash_for_#{bookmark.controller}_path").merge(:search => bookmark.query) %></li>
<% end -%>
<li class="divider"></li>
<li><%= link_to_function _('Bookmark this search'), "$('#bookmarks-modal').modal();",
lib/foreman/controller/host_details.rb
def assign_parameter name, root = ""
taxonomy_scope
Taxonomy.as_taxonomy @organization, @location do
if params["#{name}_id"].to_i > 0 and eval("@#{name} = #{name.classify}.find(params['#{name}_id'])")
item = eval("@#{controller_name.singularize} || #{controller_name.classify}.new(params[:#{controller_name.singularize}])")
if params["#{name}_id"].to_i > 0 and instance_variable_set("@#{name}",name.classify.constantize.find(params["#{name}_id"]))
item = instance_variable_get("@#{controller_name.singularize}") || controller_name.classify.constantize.new(params[controller_name.singularize])
render :partial => root + name, :locals => { :item => item }
else
head(:not_found)
......
# @host = Host.new params[:host]
def item_object
name = item_name
eval("@#{name} = #{name.classify}.new params[:#{name}]")
instance_variable_set("@#{name}", name.classify.constantize.new(params[name.to_sym]))
end
def taxonomy_scope
test/unit/bookmark_test.rb
end
end
test "validation fails when invalid controller name stored" do
b = Bookmark.create :name => "controller_test", :controller => "hosts", :query => "foo=bar", :public => true
assert b.valid?
b.controller = "foo bar"
assert_not b.valid?
end
private
def enable_login &block

Also available in: Unified diff