rpms / rubygem-activejob

Clone
Source Code
GIT

Files

epel7 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 main rawhide
  1.   f28
  2.   rubygem-activejob-5.2.1.1-Do-not-deserialize-GlobalID-objects-that-were-not-generated-by-Activejob.patch
Blob Blame History Raw 
From 970b0d754be7c71a760d9b807eea32297fd838e3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?=
 <rafaelmfranca@gmail.com>
Date: Wed, 5 Sep 2018 17:38:09 -0400
Subject: [PATCH] Do not deserialize GlobalID objects that were not generated
 by Active Job

Trusting any GlobaID object when deserializing jobs can allow
attackers to access information that should not be accessible to them.

Fix CVE-2018-16476.
---
 activejob/lib/active_job/arguments.rb               | 2 +-
 1 files changed, 1 insertions(+), 1 deletion(-)

diff --git a/activejob/lib/active_job/arguments.rb b/activejob/lib/active_job/arguments.rb
index de11e7fcb193..8d992a478b75 100644
--- a/activejob/lib/active_job/arguments.rb
+++ b/activejob/lib/active_job/arguments.rb
@@ -75,7 +75,7 @@ def serialize_argument(argument)
       def deserialize_argument(argument)
         case argument
         when String
-          GlobalID::Locator.locate(argument) || argument
+          argument
         when *TYPE_WHITELIST
           argument
         when Array
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.