Fix for bucket_path security vulnerability
568ded50ec6cUnpublished
Actions

Unpublished Commit · Learn More

Repository Importing: This repository is still importing.

Description

Fix for bucket_path security vulnerability

This is a fix for Bugs #13553, #13418, #13511. The bucket_path parameter
allowed control over where the filebucket will try to read and write to.
The only place available to stop this parameter is in the resolution
from a URI to an indirectory terminus. The bucket_path is used
internally for local filebuckets and so cannot be removed completely
without a larger change to the design.

Conflicts:

lib/puppet/network/http/api/v1.rb
spec/unit/network/http/api/v1_spec.rb

Conflicts resolved by modifying the patch to fit the use of
Puppet::Indirector::Request in the code.

Details

Provenance

Andrew Parker <andy@puppetlabs.com>	Authored on
vanmeeuwen	Pushed on Jun 2 2015, 2:22 PM

Parents

rPU6bef2e622584: Removed text/marshal support

Branches

Unknown

Tags

Unknown

Event Timeline

Andrew Parker <andy@puppetlabs.com> committed rPU568ded50ec6c: Fix for bucket_path security vulnerability (authored by Andrew Parker <andy@puppetlabs.com>).Apr 2 2012, 11:13 PM

Changes (2)

Path

Size

lib/

puppet/

network/

http/

api/

v1.rb

spec/

unit/

network/

http/

api/

v1_spec.rb

rPU568ded50ec6c

View Options

lib/puppet/network/http/api/v1.rb