Resist directory traversal attacks through indirections.
fe2de817b43aUnpublished
Actions

Unpublished Commit · Learn More

Repository Importing: This repository is still importing.

Description

Resist directory traversal attacks through indirections.

In various versions of Puppet it was possible to cause a directory traversal
attack through the SSLFile indirection base class. This was variously
triggered through the user-supplied key, or the Subject of the certificate, in
the code.

Now, we detect bad patterns down in the base class for our indirections, and
fail hard on them. This reduces the attack surface with as little disruption
to the overall codebase as possible, making it suitable to deploy as part of
older, stable versions of Puppet.

In the long term we will also address this higher up the stack, to prevent
these problems from reoccurring, but for now this will suffice.

Huge thanks to Kristian Erik Hermansen <kristian.hermansen@gmail.com> for the
responsible disclosure, and useful analysis, around this defect.

Signed-off-by: Daniel Pittman <daniel@puppetlabs.com>

Details

Provenance

Daniel Pittman <daniel@puppetlabs.com>	Authored on
Michael Stahnke <stahnma@puppetlabs.com>	Committed on Sep 28 2011, 7:52 AM
vanmeeuwen	Pushed on Jun 2 2015, 2:22 PM

Parents

rPU8bad457fb68f: Merge branch '2.6rc' into 2.6.x

Branches

Unknown

Tags