Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request #499 from lzap/secret_token
850745 - secret_token is not generated properly (CVE-2012-3503)
  • Loading branch information
lzap committed Aug 22, 2012
2 parents 514b541 + 9b86c4b commit 7c256fe
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 12 deletions.
19 changes: 13 additions & 6 deletions src/config/initializers/secret_token.rb
@@ -1,7 +1,14 @@
# Be sure to restart your server when you modify this file.
require 'active_support/secure_random'

# Your secret key for verifying the integrity of signed cookies.
# If you change this key, all old signed cookies will become invalid!
# Make sure the secret is at least 30 characters and all random,
# no regular words or you'll be exposed to dictionary attacks.
Src::Application.config.secret_token = 'f466b184ef680822293d7130f57593a7087a34b5de0607c64d1ceb66fcac4dce6810a6f176feba3fbbf2489de93c0918397c0c275996eb476b2fa6079ab849c1'
begin
# Read token string from the file.
token = IO.read('/etc/katello/secret_token')
raise RuntimeError, 'Size is too small' if token.length < 9
Src::Application.config.secret_token = token.chomp
rescue Exception => e
# If anything is wrong make sure the token is random. This is safe even when
# Katello is not configured correctly for any reason (but session is lost
# after each restart).
Rails.logger.warn "Using randomly generated secure token: #{e.message}"
Src::Application.config.secret_token = ActiveSupport::SecureRandom.hex(80)
end
13 changes: 7 additions & 6 deletions src/katello.spec
Expand Up @@ -364,19 +364,20 @@ install -m 644 man/katello-service.8 %{buildroot}/%{_mandir}/man8
/sbin/chkconfig --add %{name}
/sbin/chkconfig --add %{name}-jobs

%postun common
#update config/initializers/secret_token.rb with new key
NEWKEY=$(</dev/urandom tr -dc A-Za-z0-9 | head -c128)
sed -i "s/^Src::Application.config.secret_token = '.*'/Src::Application.config.secret_token = '$NEWKEY'/" \
%{homedir}/config/initializers/secret_token.rb
#Generate secret token if the file does not exist
#(this must be called both for installation and upgrade)
TOKEN=/etc/katello/secret_token
test -f $TOKEN || (echo $(</dev/urandom tr -dc A-Za-z0-9 | head -c128) > $TOKEN \
&& chmod 600 $TOKEN && chown katello:katello $TOKEN)

%posttrans common
rm %{datadir}/Gemfile.lock
rm -f %{datadir}/Gemfile.lock 2>/dev/null
/sbin/service %{name} condrestart >/dev/null 2>&1 || :

%files
%attr(600, katello, katello)
%{_bindir}/katello-*
%ghost %attr(600, katello, katello) %{_sysconfdir}/%{name}/secret_token
%{homedir}/app/controllers
%{homedir}/app/helpers
%{homedir}/app/mailers
Expand Down

0 comments on commit 7c256fe

Please sign in to comment.