koji hub allows arbitrary upload destinations
The way that the hub code validates upload paths allows for an attacker to
choose an arbitrary destination for the uploaded file.
Uploading still requires login. However, an attacker with credentials could
damage the integrity of the Koji system.
There is no known workaround. All Koji admins are encouraged to update to a
fixed version as soon as possible.
We are releasing updates for each affected version of Koji to fix this bug.
The following releases <https://pagure.io/koji/releases> all contain the
Note: the legacy-py24 branch is unaffected since it is client-only (no hub).
For users who have customized their Koji code, we recommend rebasing your
work onto the appropriate update release. Please see Koji issue 1634
<https://pagure.io/koji/issue/1634> for the code details.
As with all changes to hub code, you must restart httpd for the changes to
Fixed versions can be found at our releases page: