Issue #9697 has been updated by Daniel Pittman.
Assigned to Jason to get scheduled to an engineer. ---------------------------------------- Bug #9697: Indirector / HTTP API v1 security issues https://projects.puppetlabs.com/issues/9697 Author: Daniel Pittman Status: Investigating Priority: Urgent Assignee: Jason McKerr Category: security Target version: Affected Puppet version: Keywords: Branch: As reported by Kristian Hermansen, in 2.7 we trusted user supplied data from the URI as part of the pathname for SSL_File and YAML terminus data being stored, deleted, and read from disk. While this required a valid model object, it did allow semi-arbitrary file content dropping to the target systems. This is especially the master, but theoretically any accessible endpoint is vulnerable, such as the agent. We should: 1. Eliminate the double-decode of query parameters in the indirector HTTP API; this means understanding *why* that code exists, and what will break if it is removed, then fixing that, and removing the double-decode. 2. Update the HTTP API and/or core indirector to reject "abusive" inputs, if possible. (eg: can we reject anything with '../' or '/..' as abusive?) 3. Review the terminus base classes, and understand if anything better can be done to secure those generically. 4. Review the existing terminus implementations, and verify that nothing else untrusted is leaking into the system. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
