Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refs #28761 - Always set an empty REMOTE_USER for pulpcore API #230

Merged
merged 1 commit into from
Jan 16, 2020
Merged

Refs #28761 - Always set an empty REMOTE_USER for pulpcore API #230

merged 1 commit into from
Jan 16, 2020

Conversation

pdudley
Copy link
Contributor

@pdudley pdudley commented Jan 15, 2020
edited
Loading

fixes a security flaw identified with GH-229

@wbclark
Copy link
Contributor

wbclark commented Jan 15, 2020

thanks for the contribution! @jlsherrill or @ekohl can you confirm this is the right approach to resolve the issue?

@ekohl
Copy link
Member

ekohl commented Jan 15, 2020

Code itself looks correct. Some more comments about the commit message and the organization. https://chris.beams.io/posts/git-commit/ has a lot of good suggestions about in general. We also have an issue that #nnn typically refers to Redmine issues where GH-nnn refers to Github issues.

@pdudley
Copy link
Contributor Author

pdudley commented Jan 15, 2020

Fixed issue # - and thanks for the resource on commit messages!

@wbclark
Copy link
Contributor

wbclark commented Jan 15, 2020

Code itself looks correct. Some more comments about the commit message and the organization. https://chris.beams.io/posts/git-commit/ has a lot of good suggestions about in general. We also have an issue that #nnn typically refers to Redmine issues where GH-nnn refers to Github issues.

Very helpful, thanks! Will also get this attached to the Redmine

@ekohl
Copy link
Member

ekohl commented Jan 15, 2020

Very helpful, thanks! Will also get this attached to the Redmine

Normally what we do with these is use Refs #28761. That way, it is automatically linked. After merge it's also properly linked and our cherry pick scripts use that. We're unlikely to cherry pick this, but it's good to use the automation.

@ekohl
Copy link
Member

ekohl commented Jan 16, 2020

My suggestion for a commit message (without hard line breaks as you'd normally add):

Refs #28761 - Always set an empty REMOTE_USER for pulpcore API

8be796383668528c3841d7378a2f3ef0dd6e86f7 started to pass the REMOTE_USER header to the pulpcore API when SSL authentication is present. Otherwise the REMOTE_USER header stays untouched. This allows attackers to impersonate any user. By always setting it to an empty string before optionally overriding, this security concern is addressed.

This links it back to our Redmine issue and in git log it explains what it's changing. It also explains why the change is made.

@pdudley
Refs #28761 - Always set an empty REMOTE_USER for pulpcore API
ab48bc8 
8be7963 started to pass the REMOTE_USER header to the pulpcore API when SSL authentication is present. Otherwise the REMOTE_USER header stays untouched. This allows attackers to impersonate any user. By always setting it to an empty string before optionally overriding, this security concern is addressed.
@pdudley pdudley changed the title fixes a security flaw Refs #28761 - Always set an empty REMOTE_USER for pulpcore API Jan 16, 2020
ehelms
ehelms approved these changes Jan 16, 2020
View reviewed changes
Copy link
Member

@ehelms ehelms left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great, Thanks!

@ehelms ehelms merged commit 495be04 into theforeman:master Jan 16, 2020
@ekohl
Copy link
Member

ekohl commented Jan 16, 2020

In this particular case I didn't look too closely but I had intended it to use Refs #28654, the original issue that introduced the regression. As long as it's unreleased, that should be reused when making another fix. https://projects.theforeman.org/issues/28761 shouldn't have been created.

@ekohl ekohl added the Bug label Feb 12, 2020
@pdudley pdudley deleted the remote_user_fix branch October 22, 2021 19:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ehelms ehelms ehelms approved these changes

Assignees
No one assigned
Labels
Bug Needs testing
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@pdudley @wbclark @ekohl @ehelms @theforeman-bot