Revision 358ec5a3
Added by Dominic Cleal over 11 years ago
- ID 358ec5a3a1b59c098b5c14fcd7a90ca1a6a5dccd
app/controllers/hosts_controller.rb | ||
---|---|---|
require 'foreman/controller/host_details'
|
||
require 'foreman/controller/smart_proxy_auth'
|
||
|
||
class HostsController < ApplicationController
|
||
include Foreman::Controller::HostDetails
|
||
include Foreman::Controller::AutoCompleteSearch
|
||
include Foreman::Controller::SmartProxyAuth
|
||
|
||
# actions which don't require authentication and are always treated as the admin user
|
||
ANONYMOUS_ACTIONS=[ :externalNodes, :lookup ]
|
||
PUPPETMASTER_ACTIONS=[ :externalNodes, :lookup ]
|
||
SEARCHABLE_ACTIONS= %w[index active errors out_of_sync pending disabled ]
|
||
AJAX_REQUESTS=%w{compute_resource_selected hostgroup_or_environment_selected current_parameters}
|
||
skip_before_filter :require_login, :only => ANONYMOUS_ACTIONS
|
||
skip_before_filter :require_ssl, :only => ANONYMOUS_ACTIONS
|
||
skip_before_filter :authorize, :only => ANONYMOUS_ACTIONS
|
||
skip_before_filter :set_taxonomy, :only => ANONYMOUS_ACTIONS
|
||
skip_before_filter :session_expiry, :update_activity_time, :only => ANONYMOUS_ACTIONS
|
||
before_filter :set_admin_user, :only => ANONYMOUS_ACTIONS
|
||
|
||
add_puppetmaster_filters PUPPETMASTER_ACTIONS
|
||
before_filter :ajax_request, :only => AJAX_REQUESTS
|
||
before_filter :find_multiple, :only => [:update_multiple_parameters, :multiple_build,
|
||
:select_multiple_hostgroup, :select_multiple_environment, :multiple_parameters, :multiple_destroy,
|
Also available in: Unified diff
fixes #2121, #2069 - restrict importers and ENC to puppetmasters and users
CVE-2013-0171: report and fact importers parse YAML directly from the remote
host without authentication. Untrusted YAML can instantiate objects and be
used to exploit Foreman.
CVE-2013-0174: external nodes (ENC) output is available to any source and
could contain sensitive information, e.g. root password.
The restrict_registered_puppetmasters setting (default: on) now only permits
access to the three routes if the remote host has a smart proxy registered
with the Puppet feature.
The require_ssl_puppetmasters setting (default: on) requires a client SSL
certificate on HTTPS requests. The CN is checked against known smart proxies
as above. :require_ssl in settings.yaml is recommended to disable HTTP.
Ensure ENC (node.rb) and report (foreman.rb) scripts are updated to supply
client SSL certificates.