Revision 358ec5a3
Added by Dominic Cleal over 11 years ago
- ID 358ec5a3a1b59c098b5c14fcd7a90ca1a6a5dccd
app/controllers/fact_values_controller.rb | ||
---|---|---|
require 'foreman/controller/smart_proxy_auth'
|
||
|
||
class FactValuesController < ApplicationController
|
||
include Foreman::Controller::AutoCompleteSearch
|
||
include Foreman::Controller::SmartProxyAuth
|
||
|
||
skip_before_filter :require_ssl, :only => :create
|
||
skip_before_filter :require_login, :only => :create
|
||
skip_before_filter :authorize, :only => :create
|
||
skip_before_filter :verify_authenticity_token, :only => :create
|
||
skip_before_filter :set_taxonomy, :only => :create
|
||
skip_before_filter :session_expiry, :update_activity_time, :only => :create
|
||
before_filter :set_admin_user, :only => :create
|
||
add_puppetmaster_filters :create
|
||
before_filter :setup_search_options, :only => :index
|
||
|
||
def index
|
Also available in: Unified diff
fixes #2121, #2069 - restrict importers and ENC to puppetmasters and users
CVE-2013-0171: report and fact importers parse YAML directly from the remote
host without authentication. Untrusted YAML can instantiate objects and be
used to exploit Foreman.
CVE-2013-0174: external nodes (ENC) output is available to any source and
could contain sensitive information, e.g. root password.
The restrict_registered_puppetmasters setting (default: on) now only permits
access to the three routes if the remote host has a smart proxy registered
with the Puppet feature.
The require_ssl_puppetmasters setting (default: on) requires a client SSL
certificate on HTTPS requests. The CN is checked against known smart proxies
as above. :require_ssl in settings.yaml is recommended to disable HTTP.
Ensure ENC (node.rb) and report (foreman.rb) scripts are updated to supply
client SSL certificates.