diff options
| author | Luke Kanies <luke@madstop.com> | 2009-03-20 00:25:16 -0500 |
|---|---|---|
| committer | James Turnbull <james@lovedthanlost.net> | 2009-03-20 18:27:08 +1100 |
| commit | 77ade43dec5e6fc5afac7abe4b331a3bc7887e42 (patch) | |
| tree | 076af8725dce5aebd3947e6a831d707c690cce9e /lib/puppet | |
| parent | 0179e945a7d402c90a333c8207243882af362e06 (diff) | |
| download | puppet-77ade43dec5e6fc5afac7abe4b331a3bc7887e42.tar.gz puppet-77ade43dec5e6fc5afac7abe4b331a3bc7887e42.tar.xz puppet-77ade43dec5e6fc5afac7abe4b331a3bc7887e42.zip | |
Forbidding REST clients to set the node or IP
This is done for security reasons - if a client is
unauthenticated, we don't want them to be able to
just configure their own authentication information.
Signed-off-by: Luke Kanies <luke@madstop.com>
Diffstat (limited to 'lib/puppet')
| -rw-r--r-- | lib/puppet/network/http/handler.rb | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/lib/puppet/network/http/handler.rb b/lib/puppet/network/http/handler.rb index db12a8b67..04ba14401 100644 --- a/lib/puppet/network/http/handler.rb +++ b/lib/puppet/network/http/handler.rb @@ -160,6 +160,12 @@ module Puppet::Network::HTTP::Handler def decode_params(params) params.inject({}) do |result, ary| param, value = ary + param = param.to_sym + + # These shouldn't be allowed to be set by clients + # in the query string, for security reasons. + next result if param == :node + next result if param == :ip value = URI.unescape(value) if value =~ /^---/ value = YAML.load(value) @@ -169,7 +175,7 @@ module Puppet::Network::HTTP::Handler value = Integer(value) if value =~ /^\d+$/ value = value.to_f if value =~ /^\d+\.\d+$/ end - result[param.to_sym] = value + result[param] = value result end end |