← Back to branch summary

~ubuntu-branches/ubuntu/precise/puppet/precise-security

~ubuntu-branches/ubuntu/precise/puppet/precise-security

« back to all changes in this revision

Viewing changes to lib/puppet/file_serving/indirection_hooks.rb

Committer: Package Import Robot
Author(s): Marc Deslauriers
Date: 2012-07-10 07:58:03 UTC
Revision ID: package-import@ubuntu.com-20120710075803-og8iubg2a90dtk7f

Tags: 2.7.11-1ubuntu2.1

* SECURITY UPDATE: Multiple July 2012 security issues
  - debian/patches/2.7.17-Puppet-July-2012-CVE-fixes.patch: upstream
    patch to fix multiple security issues.
  - CVE-2012-3864: arbitrary file read on master from authenticated
    clients
  - CVE-2012-3865: arbitrary file delete or denial of service on master
    from authenticated clients
  - CVE-2012-3866: last_run_report.yaml report file is world readable and
    leads to arbitrary file read on master by an agent
  - CVE-2012-3867: insufficient input validation for agent cert hostnames

files added:
.pc/.quilt_patches

.pc/.quilt_series

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/application

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/application/master.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/defaults.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/face

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/face/file

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/face/file/download.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/file_bucket

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/file_bucket/file

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/file_bucket/file.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/file_bucket/file/indirection_hooks.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/file_serving

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/file_serving/configuration.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/file_serving/content.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/file_serving/indirection_hooks.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/file_serving/metadata.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/file_serving/mount

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/file_serving/mount/modules.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/file_serving/terminus_selector.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/indirector

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/indirector/file_bucket_file

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/indirector/file_bucket_file/selector.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/indirector/file_content

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/indirector/file_content/selector.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/indirector/file_metadata

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/indirector/file_metadata/selector.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/network

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/network/authstore.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/reports

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/reports/store.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/ssl

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/ssl/base.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/ssl/certificate_authority

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/ssl/certificate_authority.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/ssl/certificate_authority/interface.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/lib/puppet/ssl/host.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/integration

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/integration/file_bucket

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/integration/file_bucket/file_spec.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/integration/file_serving

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/integration/file_serving/content_spec.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/integration/file_serving/metadata_spec.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/integration/network

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/integration/network/rest_authconfig_spec.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/shared_behaviours

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/shared_behaviours/file_serving.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/shared_behaviours/file_serving_model.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/file_serving

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/file_serving/configuration_spec.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/file_serving/content_spec.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/file_serving/indirection_hooks_spec.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/file_serving/metadata_spec.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/file_serving/mount

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/file_serving/mount/modules_spec.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/file_serving/terminus_selector_spec.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/indirector

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/indirector/file_bucket_file

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/indirector/file_bucket_file/selector_spec.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/indirector/file_content

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/indirector/file_content/selector_spec.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/indirector/file_metadata

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/indirector/file_metadata/selector_spec.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/network

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/network/handler

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/network/handler/ca_spec.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/reports

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/reports/store_spec.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/ssl

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/ssl/certificate_authority

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/ssl/certificate_authority/interface_spec.rb

.pc/2.7.17-Puppet-July-2012-CVE-fixes.patch/spec/unit/ssl/certificate_authority_spec.rb

debian/patches/2.7.17-Puppet-July-2012-CVE-fixes.patch

lib/puppet/file_serving/terminus_selector.rb

lib/puppet/indirector/file_bucket_file/selector.rb

lib/puppet/indirector/file_content/selector.rb

lib/puppet/indirector/file_metadata/selector.rb

spec/integration/file_bucket

spec/integration/file_bucket/file_spec.rb

spec/shared_behaviours/file_serving_model.rb

spec/unit/file_serving/terminus_selector_spec.rb

spec/unit/indirector/file_bucket_file/selector_spec.rb

spec/unit/indirector/file_content/selector_spec.rb

spec/unit/indirector/file_metadata/selector_spec.rb

files removed:
lib/puppet/file_bucket/file

lib/puppet/file_bucket/file/indirection_hooks.rb

lib/puppet/file_serving/indirection_hooks.rb

spec/unit/file_serving/indirection_hooks_spec.rb

files modified:
.pc/applied-patches

debian/changelog

debian/patches/series

lib/puppet/application/master.rb

lib/puppet/defaults.rb

lib/puppet/face/file/download.rb

lib/puppet/file_bucket/file.rb

lib/puppet/file_serving/configuration.rb

lib/puppet/file_serving/content.rb

lib/puppet/file_serving/metadata.rb

lib/puppet/file_serving/mount/modules.rb

lib/puppet/network/authstore.rb

lib/puppet/reports/store.rb

lib/puppet/ssl/base.rb

lib/puppet/ssl/certificate_authority.rb

lib/puppet/ssl/certificate_authority/interface.rb

lib/puppet/ssl/host.rb

spec/integration/file_serving/content_spec.rb

spec/integration/file_serving/metadata_spec.rb

spec/integration/network/rest_authconfig_spec.rb

spec/shared_behaviours/file_serving.rb

spec/unit/file_serving/configuration_spec.rb

spec/unit/file_serving/content_spec.rb

spec/unit/file_serving/metadata_spec.rb

spec/unit/file_serving/mount/modules_spec.rb

spec/unit/network/handler/ca_spec.rb

spec/unit/reports/store_spec.rb

spec/unit/ssl/certificate_authority/interface_spec.rb

spec/unit/ssl/certificate_authority_spec.rb

Show diffs side-by-side

added added

removed removed

lib/puppet/file_serving/indirection_hooks.rb

1

require 'uri'

2

require 'puppet/file_serving'

3

require 'puppet/util'

4

5

# This module is used to pick the appropriate terminus

6

# in file-serving indirections. This is necessary because

7

# the terminus varies based on the URI asked for.

8

module Puppet::FileServing::IndirectionHooks

9

PROTOCOL_MAP = {"puppet" => :rest, "file" => :file}

10

11

# Pick an appropriate terminus based on the protocol.

12

def select_terminus(request)

13

# We rely on the request's parsing of the URI.

14

15

# Short-circuit to :file if it's a fully-qualified path or specifies a 'file' protocol.

16

return PROTOCOL_MAP["file"] if Puppet::Util.absolute_path?(request.key)

17

return PROTOCOL_MAP["file"] if request.protocol == "file"

18

19

# We're heading over the wire the protocol is 'puppet' and we've got a server name or we're not named 'apply' or 'puppet'

20

if request.protocol == "puppet" and (request.server or !["puppet","apply"].include?(Puppet.settings[:name]))

21

return PROTOCOL_MAP["puppet"]

22

end

23

24

if request.protocol and PROTOCOL_MAP[request.protocol].nil?

25

raise(ArgumentError, "URI protocol '#{request.protocol}' is not currently supported for file serving")

26

end

27

28

# If we're still here, we're using the file_server or modules.

29

:file_server

30

end

31

end

Older »