Origin: Command execution as root via downloadable cartridge source-url

cartridgerepository.rb in OpenShift Origin and Enterprise 1.2.8 through 2.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in a Source-Url ending with a 1 .tar.gz, 2 .zip, 3 .tgz, or 4 .tar file extension in a cartridge manifest file...