Bug #2254
closed
The WebDAV access for the inventories on the rudder should not allow a GET access (aka should not give a nice index of the incoming directory but a 403 error instead)
Added by Matthieu CERDA almost 13 years ago.
Updated over 9 years ago.
Category:
Web - Nodes & inventories
Description
The WebDAV access for the inventories on the rudder should not allow a GET access (aka should not give a nice index of the incoming directory but a 403 error instead)
On SLES it is already the case but the Debian Apache seems to accepts any access gratefully
- Tracker changed from User story to Bug
- Status changed from New to Discussion
- Assignee set to Jonathan CLARKE
Well in fact it does not allow an unauthenticated access. It seems that when I did it firefox was already authenticated, after clearing my cache and auth sessions, I get a password prompt as wanted.
Reject this please :)
- Status changed from Discussion to 2
- Assignee changed from Jonathan CLARKE to Matthieu CERDA
- Target version changed from 2.4.0~alpha5 to 2.4.0~alpha6
I disagree: the login/password can be easily found from any node managed from Rudder, so any administrator of one node could get it. This means the admin from one node can see (potentially sensitive) data about other nodes.
Even with the password, I believe GET should be forbidden. Retargeting for the next run.
- Status changed from 2 to In progress
- Target version changed from 2.4.0~alpha6 to 2.4.0~alpha7
- Status changed from In progress to Pending technical review
- % Done changed from 0 to 100
- Status changed from Pending technical review to Released
- Target version changed from 2.4.0~alpha7 to 2.3.7
This also applies to the 2.3 branch, so I've backported the commit.
- Category changed from 11 to 26
- Category changed from 26 to Web - Nodes & inventories
Also available in: Atom
PDF
Updated by Matthieu CERDA 
Updated by Jonathan CLARKE 
Updated by