Project

General

Profile

Bug #28761

REMOTE_USER should be unset for Pulp API cert authentication

Added by Eric Helms 7 months ago. Updated 7 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Foreman modules
Target version:
-
Difficulty:
Triaged:
Yes
Bugzilla link:


Related issues

Related to Installer - Feature #28654: support client cert auth with pulp3Closed
Blocks Installer - Tracker #28736: Use Pulp 3 for File and Container content in KatelloClosed

Associated revisions

Revision 495be04a (diff)
Added by Paul Dudley 7 months ago

Refs #28761 - Always set an empty REMOTE_USER for pulpcore API

8be796383668528c3841d7378a2f3ef0dd6e86f7 started to pass the REMOTE_USER header to the pulpcore API when SSL authentication is present. Otherwise the REMOTE_USER header stays untouched. This allows attackers to impersonate any user. By always setting it to an empty string before optionally overriding, this security concern is addressed.

History

#1 Updated by Eric Helms 7 months ago

  • Blocks Tracker #28736: Use Pulp 3 for File and Container content in Katello added

#2 Updated by William Clark 7 months ago

  • Pull request https://github.com/theforeman/puppet-foreman_proxy_content/pull/230 added

#3 Updated by William Clark 7 months ago

  • Status changed from Assigned to Ready For Testing

#4 Updated by Ewoud Kohl van Wijngaarden 7 months ago

  • Related to Feature #28654: support client cert auth with pulp3 added

#5 Updated by Ewoud Kohl van Wijngaarden 7 months ago

  • Triaged changed from No to Yes
  • Status changed from Ready For Testing to Closed
  • Category set to Foreman modules
  • Fixed in Releases 2.0.0 added

Also available in: Atom PDF