fix potential security issue in mass loading

webyast · Jun 13, 2011 · 8145eb1 · 8145eb1
1 parent b1b38bb
commit 8145eb1
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 2 deletions.
diff --git a/plugins/users/app/models/user.rb b/plugins/users/app/models/user.rb
@@ -145,11 +145,14 @@ def load_data(data)
     load_attributes(attrs)
   end
 
+#XXX USE base model which already contain such functionality it automatic
+ATTR_ACCESSIBLE = [:cn, :uid, :uid_number, :gid_number, :grouplist, :groupname,
+                :home_directory, :login_shell, :user_password, :type ]
   # load a hash of attributes
   def load_attributes(attrs)
     return false if attrs.nil?
     attrs.each do |key, value|
-      if self.respond_to?(key.to_sym)
+      if ATTR_ACCESSIBLE.include?(key.to_sym)
         self.send("#{key}=".to_sym, value)
       end
     end

diff --git a/plugins/users/package/webyast-users-ws.changes b/plugins/users/package/webyast-users-ws.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Mon Jun 13 14:15:38 UTC 2011 - jreidinger@novell.com
+
+- fix potential security issue in mass loading 
+- 0.2.9
+
 -------------------------------------------------------------------
 Tue May 24 10:09:20 UTC 2011 - vgorobets@suse.de
 

diff --git a/plugins/users/package/webyast-users-ws.spec b/plugins/users/package/webyast-users-ws.spec
@@ -19,7 +19,7 @@ License:        GPL-2.0
 Group:          Productivity/Networking/Web/Utilities
 URL:            http://en.opensuse.org/Portal:WebYaST
 Autoreqprov:    on
-Version:        0.2.8
+Version:        0.2.9
 Release:        0
 Summary:        WebYaST - users management
 Source:         www.tar.bz2