Issue #19531 has been updated by Matthaus Owens. Private changed from Yes to No
---------------------------------------- Bug #19531: REST auth.conf should not allow a node to save a report for another node by default https://projects.puppetlabs.com/issues/19531#change-86946 Author: Josh Cooper Status: Closed Priority: Normal Assignee: Category: Target version: 3.1.1 Affected Puppet version: 0.25.0 Keywords: CVE-2013-2275 Branch: The default authorization rule for the report endpoint is not secure by default: <pre> { :acl => "/report", :method => :save, :authenticated => true }, </pre> It needs to restrict a node to only save its own report: <pre> { :acl => "~ ^\/report\/([^\/]+)$", :method => :save, :allow => '$1', :authenticated => true }, </pre> Note in more recent versions of puppet the default ACLs reside in `lib/puppet/network/authconfig.rb` and there is also a configuration file in `conf/auth.conf` -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
