Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CVE-2020-15853] anyone can run the "refresh" command #69

Open
ryanlerch opened this issue Jul 22, 2020 · 1 comment
Open

[CVE-2020-15853] anyone can run the "refresh" command #69

ryanlerch opened this issue Jul 22, 2020 · 1 comment

Comments

@ryanlerch
Copy link
Contributor

supybot-fedora implements the command 'refresh', that refreshes the cache of all users from FAS. This takes quite a while to run, and zodbot stops responding to requests during this time.

However, anyone is able to run this command and make zodbot stop responding for (in my testing about 20-30 minutes). This command should be for bot owners only

@ryanlerch ryanlerch changed the title anyone can run the "refresh" command [CVE-2020-15853] anyone can run the "refresh" command Jul 22, 2020
@ryanlerch
Copy link
Contributor Author

refreshing the cache is a lot faster now that zodbot uses fasjson / noggin / fedora accounts to fill this cache, but we should still make it an admin command.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant