search for: sslfile

...or the 0.25.x, 2.6.x, and 2.7.x branches. Author: Daniel Pittman <daniel@puppetlabs.com> Date: Sat Sep 24 12:44:20 2011 -0700 Resist directory traversal attacks through indirections. In various versions of Puppet it was possible to cause a directory traversal attack through the SSLFile indirection base class. This was variously triggered through the user-supplied key, or the Subject of the certificate, in the code. Now, we detect bad patterns down in the base class for our indirections, and fail hard on them. This reduces the attack surface with as little disruption t...