← Back to branch summary

~lynxman/ubuntu/precise/puppet/puppetlabsfixbug12844

« back to all changes in this revision

Viewing changes to lib/puppet/application/cert.rb

  • Committer: Bazaar Package Importer
  • Author(s): Marc Deslauriers
  • Date: 2011-10-24 15:05:12 UTC
  • Revision ID: james.westby@ubuntu.com-20111024150512-yxqwfdp6hcs6of5l
Tags: 2.7.1-1ubuntu3.2
* SECURITY UPDATE: puppet master impersonation via incorrect certificates
  - debian/patches/CVE-2011-3872.patch: refactor certificate handling.
  - Thanks to upstream for providing the patch.
  - CVE-2011-3872

Show diffs side-by-side

added added

removed removed

Lines of Context:
lib/puppet/application/cert.rb
10
10
  def subcommand
11
11
    @subcommand
12
12
  end
 
13
 
13
14
  def subcommand=(name)
14
15
    # Handle the nasty, legacy mapping of "clean" to "destroy".
15
16
    sub = name.to_sym
38
39
 
39
40
  require 'puppet/ssl/certificate_authority/interface'
40
41
  Puppet::SSL::CertificateAuthority::Interface::INTERFACE_METHODS.reject {|m| m == :destroy }.each do |method|
41
 
    option("--#{method}", "-#{method.to_s[0,1]}") do
 
42
    option("--#{method.to_s.gsub('_','-')}", "-#{method.to_s[0,1]}") do
42
43
      self.subcommand = method
43
44
    end
44
45
  end
45
46
 
 
47
  option("--[no-]allow-dns-alt-names") do |value|
 
48
    options[:allow_dns_alt_names] = value
 
49
  end
 
50
 
46
51
  option("--verbose", "-v") do
47
52
    Puppet::Util::Log.level = :info
48
53
  end
181
186
      hosts = command_line.args.collect { |h| h.downcase }
182
187
    end
183
188
    begin
184
 
      @ca.apply(:revoke, :to => hosts) if subcommand == :destroy
185
 
      @ca.apply(subcommand, :to => hosts, :digest => @digest)
 
189
      @ca.apply(:revoke, options.merge(:to => hosts)) if subcommand == :destroy
 
190
      @ca.apply(subcommand, options.merge(:to => hosts, :digest => @digest))
186
191
    rescue => detail
187
192
      puts detail.backtrace if Puppet[:trace]
188
193
      puts detail.to_s
202
207
      Puppet::SSL::Host.ca_location = :only
203
208
    end
204
209
 
 
210
    # If we are generating, and the option came from the CLI, it gets added to
 
211
    # the data.  This will do the right thing for non-local certificates, in
 
212
    # that the command line but *NOT* the config file option will apply.
 
213
    if subcommand == :generate
 
214
      if Puppet.settings.setting(:dns_alt_names).setbycli
 
215
        options[:dns_alt_names] = Puppet[:dns_alt_names]
 
216
      end
 
217
    end
 
218
 
205
219
    begin
206
220
      @ca = Puppet::SSL::CertificateAuthority.new
207
221
    rescue => detail