Fix CVE-2018-1002150 - distRepoMove missing access check

Fixes: #850 https://pagure.io/koji/issue/850 fix access check in host.distRepoMove
koji-project · Apr 4, 2018 · ab1ade7 · ab1ade7
2 parents 67e82f5 + daf0764
commit ab1ade7
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 4 deletions.
diff --git a/hub/kojihub.py b/hub/kojihub.py
@@ -12517,6 +12517,8 @@ def distRepoMove(self, repo_id, uploadpath, files, arch, sigmap):
         In sigmap, use sig=None to use the primary copy of the rpm instead of a
         signed copy.
         """
+        host = Host()
+        host.verify()
         workdir = koji.pathinfo.work()
         rinfo = repo_info(repo_id, strict=True)
         repodir = koji.pathinfo.distrepo(repo_id, rinfo['tag_name'])

diff --git a/koji/auth.py b/koji/auth.py
@@ -71,6 +71,10 @@ def __init__(self, args=None, hostip=None):
         self.exclusive = False
         self.lockerror = None
         self.callnum = None
+        # we look up perms, groups, and host_id on demand, see __getattr__
+        self._perms = None
+        self._groups = None
+        self._host_id = ''
         #get session data from request
         if args is None:
             environ = getattr(context, 'environ', {})
@@ -204,10 +208,6 @@ def __init__(self, args=None, hostip=None):
         self.master = session_data['master']
         self.session_data = session_data
         self.user_data = user_data
-        # we look up perms, groups, and host_id on demand, see __getattr__
-        self._perms = None
-        self._groups = None
-        self._host_id = ''
         self.logged_in = True
 
     def __getattr__(self, name):