Koji hub allows arbitrary upload destinations


The way that the hub code validates upload paths allows for an attacker to choose an arbitrary destination for the uploaded file.

Uploading still requires login. However, an attacker with credentials could damage the integrity of the Koji system.

There is no known workaround. All Koji admins are encouraged to update to a fixed version as soon as possible.

Bug fix

We are releasing updates for affected versions of Koji from within the past two years. The following releases all contain the fix:

  • 1.18.1

  • 1.17.1

  • 1.16.3

  • 1.15.3

  • 1.14.3

Note: the legacy-py24 branch is unaffected since it is client-only (no hub).

Anyone using a Koji version older than two years should update to a more current version as soon as possible.

For users who have customized their Koji code, we recommend rebasing your work onto the appropriate update release. Please see Koji issue #1634 for the code details.

As with all changes to hub code, you must restart httpd for the changes to take effect.