Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add content type headers to raw KV responses #10023

Merged
merged 4 commits into from
Apr 14, 2021
Merged

Add content type headers to raw KV responses #10023

merged 4 commits into from
Apr 14, 2021

Conversation

picatz
Copy link
Contributor

@picatz picatz commented Apr 14, 2021

CVE-2020-25864

A vulnerability was identified in Consul and Consul Enterprise ("Consul") such that a specially crafted KV entry could be used to perform a XSS attack when viewed in the raw mode.

This PR adds content-type headers to raw KV responses to prevent that attack.

@picatz picatz added type/docs Documentation needs to be created/updated/clarified backport/1.7 labels Apr 14, 2021
@picatz picatz requested a review from a team April 14, 2021 20:26
@picatz picatz self-assigned this Apr 14, 2021
@hashicorp-ci
Copy link
Contributor

🤔 This PR has changes in the website/ directory but does not have a type/docs-cherrypick label. If the changes are for the next version, this can be ignored. If they are updates to current docs, attach the label to auto cherrypick to the stable-website branch after merging.

@vercel vercel bot temporarily deployed to Preview – consul April 14, 2021 20:40 Inactive
@vercel vercel bot temporarily deployed to Preview – consul-ui-staging April 14, 2021 20:40 Inactive
rboyer
rboyer approved these changes Apr 14, 2021
View reviewed changes
Copy link
Member

@rboyer rboyer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@picatz picatz merged commit 9f7190a into master Apr 14, 2021
@picatz picatz deleted the fix-raw-kv-xss branch April 14, 2021 22:49
@hashicorp-ci
Copy link
Contributor

🍒 If backport labels were added before merging, cherry-picking will start automatically.

To retroactively trigger a backport after merging, add backport labels and re-run https://circleci.com/gh/hashicorp/consul/350888.

@hashicorp-ci
Copy link
Contributor

🍒✅ Cherry pick of commit 9f7190a onto release/1.9.x succeeded!

@hashicorp-ci
Copy link
Contributor

🍒❌ Cherry pick of commit 9f7190a onto release/1.8.x failed! Build Log

@hashicorp-ci
Copy link
Contributor

🍒❌ Cherry pick of commit 9f7190a onto release/1.7.x failed! Build Log

hashicorp-ci pushed a commit that referenced this pull request Apr 15, 2021
@picatz @hashicorp-ci
Merge pull request #10023 from hashicorp/fix-raw-kv-xss
dc937c9 
Add content type headers to raw KV responses
mikemorris pushed a commit that referenced this pull request Apr 15, 2021
@picatz @mikemorris
Merge pull request #10023 from hashicorp/fix-raw-kv-xss
447dd52 
Add content type headers to raw KV responses
mikemorris pushed a commit that referenced this pull request Apr 15, 2021
@picatz @mikemorris
Merge pull request #10023 from hashicorp/fix-raw-kv-xss
4342877 
Add content type headers to raw KV responses
This was referenced Apr 15, 2021
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rboyer rboyer rboyer approved these changes

Assignees

@picatz picatz

Labels
type/docs Documentation needs to be created/updated/clarified
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@picatz @hashicorp-ci @rboyer