puppet 2.6.9 → 2.6.10

data/CHANGELOG

@@ -1,3 +1,10 @@
+2.6.10
+===
+ec5a32a Update spec and lib/puppet.rb for 2.6.10 release
+fe2de81 Resist directory traversal attacks through indirections. (CVE-2011-3484)
+243aaa9 (#7956) Porting cron tests
+3e3fc69 (#7956) Port resource acceptance tests
+
 2.6.9
 ====
 db1a392 (#7506) Organize READMEs; specify supported Ruby versions in README.md

data/conf/redhat/puppet.spec

@@ -5,7 +5,7 @@
 %global confdir conf/redhat
 
 Name:           puppet
-Version:        2.6.9
+Version:        2.6.10
 Release:        1%{?dist}
 Summary:        A network tool for managing many disparate systems
 License:        GPLv2
@@ -253,6 +253,9 @@ fi
 rm -rf %{buildroot}
 
 %changelog
+* Wed Sep 28 2011 Michael Stahnke <stahnma@puppetlabs.com> - 2.6.10-1
+- Fix for CVE-2011-3484
+
 * Tue Jun 21 2011 Michael Stahnke <stahnma@puppetlabs.com> - 2.6.9-1
 - Release of 2.6.9 
 

data/lib/puppet.rb

@@ -24,7 +24,7 @@ require 'puppet/util/run_mode'
 # it's also a place to find top-level commands like 'debug'
 
 module Puppet
-  PUPPETVERSION = '2.6.9'
+  PUPPETVERSION = '2.6.10'
 
   def Puppet.version
     PUPPETVERSION

data/lib/puppet/indirector.rb

@@ -68,4 +68,11 @@ module Puppet::Indirector
       self.class.indirection.save key, self
     end
   end
+
+
+  # Helper definition for indirections that handle filenames.
+  BadNameRegexp = Regexp.union(/^\.\./,
+                               %r{[\\/]},
+                               "\0",
+                               /(?i)^[a-z]:/)
 end

data/lib/puppet/indirector/ssl_file.rb

@@ -52,8 +52,12 @@ class Puppet::Indirector::SslFile < Puppet::Indirector::Terminus
     (collection_directory || file_location) or raise Puppet::DevError, "No file or directory setting provided; terminus #{self.class.name} cannot function"
   end
 
-  # Use a setting to determine our path.
   def path(name)
+    if name =~ Puppet::Indirector::BadNameRegexp then
+      Puppet.crit("directory traversal detected in #{self.class}: #{name.inspect}")
+      raise ArgumentError, "invalid key"
+    end
+
     if ca?(name) and ca_location
       ca_location
     elsif collection_directory

data/lib/puppet/indirector/yaml.rb

@@ -43,6 +43,11 @@ class Puppet::Indirector::Yaml < Puppet::Indirector::Terminus
 
   # Return the path to a given node's file.
   def path(name,ext='.yaml')
+    if name =~ Puppet::Indirector::BadNameRegexp then
+      Puppet.crit("directory traversal detected in #{self.class}: #{name.inspect}")
+      raise ArgumentError, "invalid key"
+    end
+
     base = Puppet.run_mode.master? ? Puppet[:yamldir] : Puppet[:clientyamldir]
     File.join(base, self.class.indirection_name.to_s, name.to_s + ext)
   end

data/spec/unit/indirector/ssl_file_spec.rb

@@ -87,6 +87,25 @@ describe Puppet::Indirector::SslFile do
       it "should set them in the setting directory, with the certificate name plus '.pem', if a directory setting is available" do
         @searcher.path(@cert.name).should == @certpath
       end
+
+      ['../foo', '..\\foo', './../foo', '.\\..\\foo',
+       '/foo', '//foo', '\\foo', '\\\\goo',
+       "test\0/../bar", "test\0\\..\\bar",
+       "..\\/bar", "/tmp/bar", "/tmp\\bar", "tmp\\bar",
+       " / bar", " /../ bar", " \\..\\ bar",
+       "c:\\foo", "c:/foo", "\\\\?\\UNC\\bar", "\\\\foo\\bar",
+       "\\\\?\\c:\\foo", "//?/UNC/bar", "//foo/bar",
+       "//?/c:/foo",
+      ].each do |input|
+        it "should resist directory traversal attacks (#{input.inspect})" do
+          expect { @searcher.path(input) }.to raise_error
+        end
+      end
+
+      # REVISIT: Should probably test MS-DOS reserved names here, too, since
+      # they would represent a vulnerability on a Win32 system, should we ever
+      # support that path.  Don't forget that 'CON.foo' == 'CON'
+      # --daniel 2011-09-24
     end
 
     describe "when finding certificates on disk" do

data/spec/unit/indirector/yaml_spec.rb

@@ -63,6 +63,20 @@ describe Puppet::Indirector::Yaml, " when choosing file location" do
     it "should use the object's name to determine the file name" do
       @store.path(:me).should =~ %r{me.yaml$}
     end
+
+    ['../foo', '..\\foo', './../foo', '.\\..\\foo',
+     '/foo', '//foo', '\\foo', '\\\\goo',
+     "test\0/../bar", "test\0\\..\\bar",
+     "..\\/bar", "/tmp/bar", "/tmp\\bar", "tmp\\bar",
+     " / bar", " /../ bar", " \\..\\ bar",
+     "c:\\foo", "c:/foo", "\\\\?\\UNC\\bar", "\\\\foo\\bar",
+     "\\\\?\\c:\\foo", "//?/UNC/bar", "//foo/bar",
+     "//?/c:/foo",
+    ].each do |input|
+      it "should resist directory traversal attacks (#{input.inspect})" do
+        expect { @store.path(input) }.to raise_error
+      end
+    end
   end
 
   describe Puppet::Indirector::Yaml, " when storing objects as YAML" do

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: puppet
 version: !ruby/object:Gem::Version 
-  hash: 5
+  hash: 3
   prerelease: 
   segments: 
   - 2
   - 6
-  - 9
-  version: 2.6.9
+  - 10
+  version: 2.6.10
 platform: ruby
 authors: 
 - Puppet Labs
@@ -15,8 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-06-21 00:00:00 -07:00
-default_executable: 
+date: 2011-09-28 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: facter
@@ -1392,7 +1391,6 @@ files:
 - bin/puppetmasterd
 - bin/puppetqd
 - bin/puppetrun
-has_rdoc: true
 homepage: http://puppetlabs.com
 licenses: []
 
@@ -1426,7 +1424,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 
 rubyforge_project: puppet
-rubygems_version: 1.5.3
+rubygems_version: 1.8.10
 signing_key: 
 specification_version: 3
 summary: Puppet, an automated configuration management tool