From 77ade43dec5e6fc5afac7abe4b331a3bc7887e42 Mon Sep 17 00:00:00 2001
From: Luke Kanies <luke@madstop.com>
Date: Fri, 20 Mar 2009 00:25:16 -0500
Subject: Forbidding REST clients to set the node or IP

This is done for security reasons - if a client is
unauthenticated, we don't want them to be able to
just configure their own authentication information.

Signed-off-by: Luke Kanies <luke@madstop.com>
---
 lib/puppet/network/http/handler.rb | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'lib/puppet')

diff --git a/lib/puppet/network/http/handler.rb b/lib/puppet/network/http/handler.rb
index db12a8b67..04ba14401 100644
--- a/lib/puppet/network/http/handler.rb
+++ b/lib/puppet/network/http/handler.rb
@@ -160,6 +160,12 @@ module Puppet::Network::HTTP::Handler
     def decode_params(params)
         params.inject({}) do |result, ary|
             param, value = ary
+            param = param.to_sym
+
+            # These shouldn't be allowed to be set by clients
+            # in the query string, for security reasons.
+            next result if param == :node
+            next result if param == :ip
             value = URI.unescape(value)
             if value =~ /^---/
                 value = YAML.load(value)
@@ -169,7 +175,7 @@ module Puppet::Network::HTTP::Handler
                 value = Integer(value) if value =~ /^\d+$/
                 value = value.to_f if value =~ /^\d+\.\d+$/
             end
-            result[param.to_sym] = value
+            result[param] = value
             result
         end
     end
-- 
cgit