Univention Bugzilla – Bug 41370
UMC server crashes on malicious upload request
Last modified: 2021-06-23 07:29:11 CEST
curl -s --cookie "$COOKIEJAR" --cookie-jar "$COOKIEJAR" -H "Content-Type: application/json" -d '{"flavor": null, "options": ["type=README", "component_id=test-x_20160527104755", "ucs_version=4.1"]}' "http://$host/umcp/upload/appcenter-selfservice/upload" 27.05.16 10:59:18.533 MAIN ( ERROR ) : Traceback (most recent call last): File "/usr/sbin/univention-management-console-server", line 236, in <module> umc_daemon.do_action() File "/usr/lib/pymodules/python2.7/daemon/runner.py", line 186, in do_action func(self) File "/usr/sbin/univention-management-console-server", line 161, in _crestart self._start() File "/usr/lib/pymodules/python2.7/daemon/runner.py", line 131, in _start self.app.run() File "/usr/sbin/univention-management-console-server", line 204, in run notifier.loop() File "/usr/lib/pymodules/python2.7/notifier/nf_generic.py", line 286, in loop step() File "/usr/lib/pymodules/python2.7/notifier/nf_generic.py", line 273, in step not __sockets[ cond ][ fd ]( sock_obj ): File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/server.py", line 178, in _receive res = Response(msg) File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/message.py", line 304, in __init__ self.options = request.options File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/message.py", line 192, in <lambda> options = property(lambda self: self._get_key('options'), lambda self, value: self._set_key('options', value)) File "/usr/lib/pymodules/python2.7/univention/management/console/protocol/message.py", line 177, in _get_key return self.body.get(key) AttributeError: 'str' object has no attribute 'get'
This is not nice! You don't need to be authenticated to do this. And the UMC-Server port is opened everywhere. umc-client -s example.com -n UPLOAD foo -F /dev/null
univention-management-console.yaml: r70660 | YAML Bug #41370 univention-management-console (8.0.28-16): r70659 | Bug #41370: fix crashing of server on malicious request data r70658 | Bug #41370: fix crashing of server on malicious request data
Code: OK YAML: OK
<http://errata.software-univention.de/ucs/4.1/212.html>