From ab1ade75c155c2325ec92913fc5c510fd61757a1 Mon Sep 17 00:00:00 2001
From: Mike McLean <mikem@redhat.com>
Date: Apr 04 2018 13:46:29 +0000
Subject: Fix CVE-2018-1002150 - distRepoMove missing access check


Fixes: #850
https://pagure.io/koji/issue/850
fix access check in host.distRepoMove

---

diff --git a/hub/kojihub.py b/hub/kojihub.py
index 4e0e558..cd46fda 100644
--- a/hub/kojihub.py
+++ b/hub/kojihub.py
@@ -12517,6 +12517,8 @@ class HostExports(object):
         In sigmap, use sig=None to use the primary copy of the rpm instead of a
         signed copy.
         """
+        host = Host()
+        host.verify()
         workdir = koji.pathinfo.work()
         rinfo = repo_info(repo_id, strict=True)
         repodir = koji.pathinfo.distrepo(repo_id, rinfo['tag_name'])
diff --git a/koji/auth.py b/koji/auth.py
index 6f43159..f780cf6 100644
--- a/koji/auth.py
+++ b/koji/auth.py
@@ -71,6 +71,10 @@ class Session(object):
         self.exclusive = False
         self.lockerror = None
         self.callnum = None
+        # we look up perms, groups, and host_id on demand, see __getattr__
+        self._perms = None
+        self._groups = None
+        self._host_id = ''
         #get session data from request
         if args is None:
             environ = getattr(context, 'environ', {})
@@ -204,10 +208,6 @@ class Session(object):
         self.master = session_data['master']
         self.session_data = session_data
         self.user_data = user_data
-        # we look up perms, groups, and host_id on demand, see __getattr__
-        self._perms = None
-        self._groups = None
-        self._host_id = ''
         self.logged_in = True
 
     def __getattr__(self, name):