File puppet-3.8.5-CVE-2021-27023.patch of Package puppet.25941
Index: puppet-3.8.5/lib/puppet/defaults.rb
===================================================================
--- puppet-3.8.5.orig/lib/puppet/defaults.rb
+++ puppet-3.8.5/lib/puppet/defaults.rb
@@ -580,6 +580,12 @@ module Puppet
:owner => "service",
:group => "service",
:desc => "The directory where catalog previews per node are generated."
+ },
+ :location_trusted => {
+ :default => false,
+ :type => :boolean,
+ :desc => "This will allow sending the name + password and the cookie header to all hosts that puppet may redirect to.
+ This may or may not introduce a security breach if puppet redirects you to a site to which you'll send your authentication info and cookies."
}
)
Puppet.define_settings(:module_tool,
Index: puppet-3.8.5/lib/puppet/network/http/connection.rb
===================================================================
--- puppet-3.8.5.orig/lib/puppet/network/http/connection.rb
+++ puppet-3.8.5/lib/puppet/network/http/connection.rb
@@ -171,7 +171,7 @@ module Puppet::Network::HTTP
return response if response
with_connection(current_site) do |connection|
- apply_options_to(current_request, options)
+ apply_options_to(current_request, options) if redirection.zero?
current_response = execute_request(connection, current_request)
@@ -185,6 +185,11 @@ module Puppet::Network::HTTP
current_request = current_request.class.new(location.path)
current_request.body = request.body
request.each do |header, value|
+ unless Puppet[:location_trusted]
+ # skip adding potentially sensitive header to other hosts
+ next if header.casecmp('Authorization').zero? && request.uri.host.casecmp(location.host) != 0
+ next if header.casecmp('Cookie').zero? && request.uri.host.casecmp(location.host) != 0
+ end
current_request[header] = value
end
else
