rust/cargo-c: update to 0.10.7+cargo-0.84.0
[oi-userland.git] / components / ruby / puppet / patches / puppet-18-CVE-2017-2295.patch
blob742297e777ca80bcab49d3c74217d60293b668ec
1 From dbca8c0e5ab083588ac1a6aae9362ef32cb95065 Mon Sep 17 00:00:00 2001
2 From: Josh Cooper <josh@puppet.com>
3 Date: Fri, 28 Apr 2017 12:09:11 -0700
4 Subject: [PATCH] (PUP-7483) Reject all fact formats except PSON
6 Previously, an authenticated user could cause the master to execute
7 YAML.load on user-specified input, as well as MessagePack.unpack if the
8 msgpack gem was installed.
10 Since 3.2.2, agents have always sent facts as PSON. There is no reason
11 to support other formats, so reject all fact formats except PSON.
13 (cherry picked from commit 06d8c51367ca932b9da5d9b01958cfc0adf0f2ea)
14 ---
15 lib/puppet/indirector/catalog/compiler.rb | 6 +++--
16 spec/unit/indirector/catalog/compiler_spec.rb | 36 ++++++++++++++++++++++++---
17 2 files changed, 36 insertions(+), 6 deletions(-)
19 diff --git a/lib/puppet/indirector/catalog/compiler.rb b/lib/puppet/indirector/catalog/compiler.rb
20 index 6f4e2f3e4..ed2c3bc39 100644
21 --- a/lib/puppet/indirector/catalog/compiler.rb
22 +++ b/lib/puppet/indirector/catalog/compiler.rb
23 @@ -22,9 +22,11 @@ class Puppet::Resource::Catalog::Compiler < Puppet::Indirector::Code
24 # in Network::HTTP::Handler will automagically deserialize the value.
25 if text_facts.is_a?(Puppet::Node::Facts)
26 facts = text_facts
27 - else
28 + elsif format == 'pson'
29 # We unescape here because the corresponding code in Puppet::Configurer::FactHandler escapes
30 - facts = Puppet::Node::Facts.convert_from(format, CGI.unescape(text_facts))
31 + facts = Puppet::Node::Facts.convert_from('pson', CGI.unescape(text_facts))
32 + else
33 + raise ArgumentError, "Unsupported facts format"
34 end
36 unless facts.name == request.key
37 diff --git a/spec/unit/indirector/catalog/compiler_spec.rb b/spec/unit/indirector/catalog/compiler_spec.rb
38 index 4aaecd664..faf95f757 100755
39 --- a/spec/unit/indirector/catalog/compiler_spec.rb
40 +++ b/spec/unit/indirector/catalog/compiler_spec.rb
41 @@ -138,10 +138,10 @@ describe Puppet::Resource::Catalog::Compiler do
42 @facts = Puppet::Node::Facts.new('hostname', "fact" => "value", "architecture" => "i386")
43 end
45 - def a_request_that_contains(facts)
46 + def a_request_that_contains(facts, format = :pson)
47 request = Puppet::Indirector::Request.new(:catalog, :find, "hostname", nil)
48 - request.options[:facts_format] = "pson"
49 - request.options[:facts] = CGI.escape(facts.render(:pson))
50 + request.options[:facts_format] = format.to_s
51 + request.options[:facts] = CGI.escape(facts.render(format))
52 request
53 end
55 @@ -163,7 +163,7 @@ describe Puppet::Resource::Catalog::Compiler do
56 facts.timestamp.should == now
57 end
59 - it "should convert the facts into a fact instance and save it" do
60 + it "accepts PSON facts" do
61 request = a_request_that_contains(@facts)
63 options = {
64 @@ -175,6 +175,34 @@ describe Puppet::Resource::Catalog::Compiler do
66 @compiler.extract_facts_from_request(request)
67 end
69 + it "rejects YAML facts" do
70 + request = a_request_that_contains(@facts, :yaml)
72 + options = {
73 + :environment => request.environment,
74 + :transaction_uuid => request.options[:transaction_uuid],
75 + }
77 + expect {
78 + @compiler.extract_facts_from_request(request)
79 + }.to raise_error(ArgumentError, /Unsupported facts format/)
80 + end
82 + it "rejects unknown fact formats" do
83 + request = a_request_that_contains(@facts)
84 + request.options[:facts_format] = 'unknown-format'
86 + options = {
87 + :environment => request.environment,
88 + :transaction_uuid => request.options[:transaction_uuid],
89 + }
91 + expect {
92 + @compiler.extract_facts_from_request(request)
93 + }.to raise_error(ArgumentError, /Unsupported facts format/)
94 + end
96 end
98 describe "when finding nodes" do