Project

General

Profile

Actions

Bug #2254

closed

The WebDAV access for the inventories on the rudder should not allow a GET access (aka should not give a nice index of the incoming directory but a 403 error instead)

Added by Matthieu CERDA almost 13 years ago. Updated over 9 years ago.

Status:
Released
Priority:
1 (highest)
Assignee:
Matthieu CERDA
Category:
Web - Nodes & inventories
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
Name check:
Fix check:
Regression:

Description

The WebDAV access for the inventories on the rudder should not allow a GET access (aka should not give a nice index of the incoming directory but a 403 error instead)

On SLES it is already the case but the Debian Apache seems to accepts any access gratefully

Actions #1

Updated by Matthieu CERDA almost 13 years ago

  • Tracker changed from User story to Bug
Actions #2

Updated by Matthieu CERDA almost 13 years ago

  • Status changed from New to Discussion
  • Assignee set to Jonathan CLARKE

Well in fact it does not allow an unauthenticated access. It seems that when I did it firefox was already authenticated, after clearing my cache and auth sessions, I get a password prompt as wanted.

Reject this please :)

Actions #3

Updated by Jonathan CLARKE almost 13 years ago

  • Status changed from Discussion to 2
  • Assignee changed from Jonathan CLARKE to Matthieu CERDA
  • Target version changed from 2.4.0~alpha5 to 2.4.0~alpha6

I disagree: the login/password can be easily found from any node managed from Rudder, so any administrator of one node could get it. This means the admin from one node can see (potentially sensitive) data about other nodes.

Even with the password, I believe GET should be forbidden. Retargeting for the next run.

Actions #4

Updated by Matthieu CERDA over 12 years ago

  • Status changed from 2 to In progress
  • Target version changed from 2.4.0~alpha6 to 2.4.0~alpha7
Actions #5

Updated by Matthieu CERDA over 12 years ago

  • Status changed from In progress to Pending technical review
  • % Done changed from 0 to 100
Actions #6

Updated by Jonathan CLARKE over 12 years ago

  • Status changed from Pending technical review to Released

Looks good to me.

Actions #7

Updated by Jonathan CLARKE over 12 years ago

  • Target version changed from 2.4.0~alpha7 to 2.3.7

This also applies to the 2.3 branch, so I've backported the commit.

Actions #8

Updated by Jonathan CLARKE over 12 years ago

  • Category changed from 11 to 26
Actions #9

Updated by Benoît PECCATTE over 9 years ago

  • Category changed from 26 to Web - Nodes & inventories
Actions

Also available in: Atom PDF