Koji hub allows arbitrary upload destinations


The way that the hub code validates upload paths allows for an attacker to
choose an arbitrary destination for the uploaded file.

Uploading still requires login. However, an attacker with credentials could
damage the integrity of the Koji system.

There is no known workaround. All Koji admins are encouraged to update to a
fixed version as soon as possible.

Bug fix

We are releasing updates for affected versions of Koji from within the
past two years.
The following releases all contain the fix:

- 1.18.1
- 1.17.1
- 1.16.3
- 1.15.3
- 1.14.3

Note: the legacy-py24 branch is unaffected since it is client-only (no hub).

Anyone using a Koji version older than two years should update to a more
current version as soon as possible.

For users who have customized their Koji code, we recommend rebasing your work
onto the appropriate update release. Please see Koji
`issue #1634 <https://pagure.io/koji/issue/1634>`_ for the code details.

As with all changes to hub code, you must restart httpd for the changes to
take effect.


Fixed versions can be found at our releases page: