Resist directory traversal attacks through indirections.
0a92a70a22b7Unpublished
Actions

Unpublished Commit · Learn More

Repository Importing: This repository is still importing.

Description

Resist directory traversal attacks through indirections.

In various versions of Puppet it was possible to cause a directory traversal
attack through the SSLFile indirection base class. This was variously
triggered through the user-supplied key, or the Subject of the certificate, in
the code.

Now, we detect bad patterns down in the base class for our indirections, and
fail hard on them. This reduces the attack surface with as little disruption
to the overall codebase as possible, making it suitable to deploy as part of
older, stable versions of Puppet.

In the long term we will also address this higher up the stack, to prevent
these problems from reoccurring, but for now this will suffice.

Huge thanks to Kristian Erik Hermansen <kristian.hermansen@gmail.com> for the
responsible disclosure, and useful analysis, around this defect.

Signed-off-by: Daniel Pittman <daniel@puppetlabs.com>

Details

Provenance

Daniel Pittman <daniel@puppetlabs.com>	Authored on
Michael Stahnke <stahnma@puppetlabs.com>	Committed on Sep 27 2011, 6:32 PM
vanmeeuwen	Pushed on Jun 2 2015, 2:22 PM

Parents

rPU4a37529b7d59: Merge pull request #121 from djm68/9547_accectance_tests_cleanup_cfgs

Branches

Unknown

Tags