Issue #9793 has been updated by Daniel Pittman. File 2.6.x-9793-secure-indirector-file-backed-terminus-base-cla.patch added File 2.7.x-9793-secure-indirector-file-backed-terminus-base-cla.patch added
Secured by deleting the code, which was unused. I did both 2.7.x and 2.6.x, but not 0.25 at this point: dead code in a dead branch doesn't feel worth the effort to me right now. ---------------------------------------- Bug #9793: `indirector/file.rb` base class needs bad filename protection https://projects.puppetlabs.com/issues/9793 Author: Daniel Pittman Status: Accepted Priority: Immediate Assignee: Daniel Pittman Category: security Target version: Affected Puppet version: Keywords: Branch: The `indirector/file.rb` terminus base class trusts the request key as part of the pathname, like the YAML and SslFile terminus base classes did. The mitigating factor in this being, that is entirely unused. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
