Issue #17879 has been updated by Jeff McCune. Status changed from Re-opened to Duplicate
Unfortunately the pull request in https://github.com/puppetlabs/puppet/pull/1490 does not sufficiently address the root cause of this problem. Here's the comment I posted on Github: Thanks for this patch, but I don't understand how it adequately protects from the situation where Puppet writes the file to disk based on the name. For example, on windows the path separator is \ and this patch would cause Puppet to accept a cert name of ..\..\puppet.conf which could be used to overwrite the puppet configuration file. I think this approach is insufficient because it does not address the root cause of the issue that's been mentioned in http://projects.puppetlabs.com/issues/15561#note-13 I'm happy to review and investigate alternative approaches to the problem, but for 15561 and 17879 to be resolved we need to address the fundamental problem of the file name on disk depending on the user-supplied certificate name. This dependency needs to be broken. Without addressing this problem we risk regression on important security fixes. I'm going to go ahead and close this pull request for the time being. Please re-open this pull request once the next actions are addressed, new information is available, or you have a question related to this pull request. We've become aware of difficulties re-opening pull requests, in the event you cannot please mention jeffmccune or adrienthebo with an @ sign in front and we'll re-open this pull request. Closing the pull request doesn't mean we don't consider this change valuable, just that there are things that need to be addressed before it can be merged. If you have any questions or concerns, please don't hesitate to ping us in #puppet-dev on irc.freenode.net. Please don't re-open this issue as it is a duplicate of #15561. If you'd like to work on this issue further, which I definitely encourage you to do, please file the pull request and comment against #15561. Thanks, -Jeff ---------------------------------------- Bug #17879: extract cert name properly from subject DN https://projects.puppetlabs.com/issues/17879#change-83689 Author: Yuri Arabadji Status: Duplicate Priority: High Assignee: Category: Target version: Affected Puppet version: Keywords: Branch: You owe me $200 for my time on debugging this. Hi. --- /usr/local/rvm/gems/ruby-1.9.3-p286@puppet30/gems/puppet-3.0.1/lib/puppet/ssl/base.rb.orig 2012-11-30 10:23:24.531533928 -0500 +++ /usr/local/rvm/gems/ruby-1.9.3-p286@puppet30/gems/puppet-3.0.1/lib/puppet/ssl/base.rb 2012-11-30 10:35:25.653400099 -0500 @@ -49,7 +49,9 @@ # Method to extract a 'name' from the subject of a certificate def self.name_from_subject(subject) - subject.to_s.sub(/\/CN=/i, '') + if triplet = subject.to_a.find {|name, data, type| name == 'CN' } + triplet[1] + end end # Create an instance of our Puppet::SSL::* class using a given instance of the wrapped class Otherwise subject DN /O=Organization/OU=Something/CN=host.name.com will be converted into some mess and fail validation with exception being thrown right in the middle of the code that doesn't expect it. So don't be shy, make connection.verify_callback block catch the exception and actually raise SSLError or the like and actually fill in the error message (class not found, name incorrect and such). That's all for now, dears. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs?hl=en. For more options, visit https://groups.google.com/groups/opt_out.