(PUP-3855) Force invalid environment on request to use check_auth
367a728bca38Unpublished
Actions

Unpublished Commit · Learn More

Repository Importing: This repository is still importing.

Description

(PUP-3855) Force invalid environment on request to use check_auth

In previous commits, if a request included an environment which is
invalid, an ArgumentError indicating that the environment is invalid was
returned to the caller. This could be used maliciously by
unauthenticated/unauthorized callers to determine which environments are
valid on the server.

This commit causes uri2indirection to call through to
check_authorization even if the supplied environment on the request was
invalid. If the check_authorization call fails because an environment
restriction was imposed in auth.conf, the caller will now see a generic
"Forbidden request" response with no context about the environment being
invalid, mitigating the information disclosure concern. If the
check_authorization call does not fail but the environment is still
invalid, an ArgumentError indicating that the environment was not found
is still returned to the caller. This ensures for backward
compatibility for cases that the caller is sufficiently authenticated
and authorized.

Details

Provenance

Jeremy Barlow <jeremy.barlow@puppetlabs.com>	Authored on
vanmeeuwen	Pushed on Jun 2 2015, 2:22 PM

Parents

rPUd654c1d08f9e: (PUP-3855) Restore ability for auth.conf to restrict on environment

Branches

Unknown

Tags

Unknown

Event Timeline

Jeremy Barlow <jeremy.barlow@puppetlabs.com> committed rPU367a728bca38: (PUP-3855) Force invalid environment on request to use check_auth (authored by Jeremy Barlow <jeremy.barlow@puppetlabs.com>).Jan 27 2015, 7:41 PM

Changes (2)

Path

Size

lib/

puppet/

network/

http/

api/

indirected_routes.rb

spec/

unit/

network/

http/

api/

indirected_routes_spec.rb

rPU367a728bca38

View Options

lib/puppet/network/http/api/indirected_routes.rb