[DRE-maint] Bug#1068330: schleuder: insufficient validation of x-subscribe requests
Georg Faerber
georg at debian.org
Wed Apr 3 14:46:40 BST 2024
Package: schleuder
Version: 4.0.3-7
Severity: important
Forwarded: https://0xacab.org/schleuder/schleuder/-/issues/530
Tags: bookworm fixed-upstream security upstream
Schleuder parses a request like
x-subscribe: user at example.com <user at example.com> DEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF
as
x-subscribe: user at example.com NULL TRUE
which assigns 'admin' privileges to this subscription.
This is dangerous behaviour. Unexpected input should always throw an
error, especially where admin permissions are being assigned.
More information about the Pkg-ruby-extras-maintainers
mailing list