Validate PackageId in uploaded packages

[matt-richardson]

source: https://secure.helpscout.net/conversation/393753664?folderId=557082

A vulnerability was reported where an authenticated user with the PackagePush permission could upload a malicious package with a malformed PackageId, causing the Built-In Feed to write the package outside of the Octopus package store.

We should fix this by validationg PackageId's according to the same rules as NuGet Gallery, specifically: ^\w+([_.-]\w+)*$.

[matt-richardson]

Fixed by https://github.com/OctopusDeploy/OctopusDeploy/pull/1218

[octoreleasebot]

Release Note: Prevent directory traversal security vulnerability in Built-In Feed by validating supplied PackageId’s according to the same rules as NuGet.

[matt-richardson]

CVE ID is CVE-2017-11348

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. If you think you've found a related issue, please contact our support team so we can triage your issue, and make sure it's handled appropriately.