Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
puppet.25941
puppet-3.8.5-CVE-2021-27023.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File puppet-3.8.5-CVE-2021-27023.patch of Package puppet.25941
Index: puppet-3.8.5/lib/puppet/defaults.rb =================================================================== --- puppet-3.8.5.orig/lib/puppet/defaults.rb +++ puppet-3.8.5/lib/puppet/defaults.rb @@ -580,6 +580,12 @@ module Puppet :owner => "service", :group => "service", :desc => "The directory where catalog previews per node are generated." + }, + :location_trusted => { + :default => false, + :type => :boolean, + :desc => "This will allow sending the name + password and the cookie header to all hosts that puppet may redirect to. + This may or may not introduce a security breach if puppet redirects you to a site to which you'll send your authentication info and cookies." } ) Puppet.define_settings(:module_tool, Index: puppet-3.8.5/lib/puppet/network/http/connection.rb =================================================================== --- puppet-3.8.5.orig/lib/puppet/network/http/connection.rb +++ puppet-3.8.5/lib/puppet/network/http/connection.rb @@ -171,7 +171,7 @@ module Puppet::Network::HTTP return response if response with_connection(current_site) do |connection| - apply_options_to(current_request, options) + apply_options_to(current_request, options) if redirection.zero? current_response = execute_request(connection, current_request) @@ -185,6 +185,11 @@ module Puppet::Network::HTTP current_request = current_request.class.new(location.path) current_request.body = request.body request.each do |header, value| + unless Puppet[:location_trusted] + # skip adding potentially sensitive header to other hosts + next if header.casecmp('Authorization').zero? && request.uri.host.casecmp(location.host) != 0 + next if header.casecmp('Cookie').zero? && request.uri.host.casecmp(location.host) != 0 + end current_request[header] = value end else
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor