Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2017-1002151: PR#2426: hide private repos in ssh too - pagure

Pagure 3.3.0 and earlier is vulnerable to loss of confidentially due to improper authorization

CVE
Open in Source
#git#auth#ssh

This is the test I came up with:

+ def test_write_gitolite_project_test_private(self):

  •    """ Test the write\_gitolite\_acls function of pagure.lib.git with

  •    a postconf set """

  •    with open(self.outputconf, 'w') as stream:

  •        pass

  •    # Make the test project private

  •    project = pagure.lib.\_get\_project(self.session, 'test')

  •    project.private = True

  •    self.session.add(project)

  •    self.session.commit()

  •    # Re-generate the gitolite config just for this project

  •    helper = pagure.lib.git\_auth.get\_git\_auth\_helper('gitolite3')

  •    helper.write\_gitolite\_acls(

  •        self.session,

  •        self.outputconf,

  •        project=project,

  •    )

  •    self.assertTrue(os.path.exists(self.outputconf))

  •    with open(self.outputconf) as stream:

  •        data = stream.read().decode('utf-8')

  •    exp = u"""@grp2  = foo

+@grp = pingou +# end of groups

+repo test

  • RW+ = pingou

+repo docs/test

  • RW+ = pingou

+repo tickets/test

  • RW+ = pingou

+repo requests/test

  • RW+ = pingou

+# end of body +"""

  •    print data

  •    self.assertEqual(data, exp)

If someone can review this, I’ll merge the PR manually.

Related news

CVE-2019-11556: Changelog — pagure documentation

Pagure before 5.6 allows XSS via the templates/blame.html blame view.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE