Fix CVE-2018-1002150 - distRepoMove missing access check

Fixes: #850 https://pagure.io/koji/issue/850 fix access check in host.distRepoMove
2018-04-04 09:44:59 -04:00 · 2018-04-04 09:44:59 -04:00 · ab1ade75c1
commit ab1ade75c1
parent 67e82f56b9 daf0764ad3
2 changed files with 6 additions and 4 deletions
--- a/hub/kojihub.py
+++ b/hub/kojihub.py
@ -12517,6 +12517,8 @@ class HostExports(object):
        In sigmap, use sig=None to use the primary copy of the rpm instead of a
        signed copy.
        """
+        host = Host()
+        host.verify()
        workdir = koji.pathinfo.work()
        rinfo = repo_info(repo_id, strict=True)
        repodir = koji.pathinfo.distrepo(repo_id, rinfo['tag_name'])
--- a/koji/auth.py
+++ b/koji/auth.py
@ -71,6 +71,10 @@ class Session(object):
        self.exclusive = False
        self.lockerror = None
        self.callnum = None
+        # we look up perms, groups, and host_id on demand, see __getattr__
+        self._perms = None
+        self._groups = None
+        self._host_id = ''
        #get session data from request
        if args is None:
            environ = getattr(context, 'environ', {})
@ -204,10 +208,6 @@ class Session(object):
        self.master = session_data['master']
        self.session_data = session_data
        self.user_data = user_data
-        # we look up perms, groups, and host_id on demand, see __getattr__
-        self._perms = None
-        self._groups = None
-        self._host_id = ''
        self.logged_in = True

    def __getattr__(self, name):