Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merge 2.9 into 3.0 #754

Open
wants to merge 8 commits into
base: develop-3.0
Choose a base branch
from
Open

Merge 2.9 into 3.0 #754

wants to merge 8 commits into from

Commits on Feb 28, 2019

  1. Update rebar.config 

    Switch to develop-2.9 reference
    @martinsumner
    martinsumner committed Feb 28, 2019
    Configuration menu
    Copy the full SHA
    d7b0f5e View commit details
    Browse the repository at this point in the history

  2. Merge pull request #749 from martinsumner/develop-2.9 

    Update rebar.config
    @martinsumner
    martinsumner authored Feb 28, 2019
    Configuration menu
    Copy the full SHA
    73b7733 View commit details
    Browse the repository at this point in the history

  3. Update rebar.config 

    Point riak-erlang-client at dependency compatible with develop-2.9
    @martinsumner
    martinsumner committed Feb 28, 2019
    Configuration menu
    Copy the full SHA
    a0f4b37 View commit details
    Browse the repository at this point in the history

  4. Merge pull request #750 from martinsumner/develop-2.9 

    Update rebar.config
    @martinsumner
    martinsumner authored Feb 28, 2019
    Configuration menu
    Copy the full SHA
    09975fe View commit details
    Browse the repository at this point in the history

Commits on Mar 8, 2019

  1. [sec] yz xml extractor: prevent XXE attack 

    XML External Entity attack

1. if HTTP API is exposed:

  - read any file on the system — via /search/extract, the error message leaks
    file content;

  - send HTTP «GET /» request to any host — by PUT/POSTing text/xml document,
    or via /search/extract.  This is also likely riak DoS if the host is
    attacker-controlled.

2. if PB API is exposed

  - send HTTP «GET /» request to any host — by PUT/POST, see above.

Example request:

<?xml version="1.0"?>
<!DOCTYPE meow [
  <!ENTITY xxe2 SYSTEM "/etc/passwd">
  <!ENTITY xxe1 SYSTEM "http://host/ping-me">
]>
<meow>&xxe1;</meow>
    @llelf
    llelf committed Mar 8, 2019
    Configuration menu
    Copy the full SHA
    ba52825 View commit details
    Browse the repository at this point in the history

  2. [sec] http search: get rid of ‘yz-fprof’ header handling 

    It doesn't check user-provided path in any way.
This allows overriding any file on the system with riak permissions.
    @llelf
    llelf committed Mar 8, 2019
    Configuration menu
    Copy the full SHA
    5ebab64 View commit details
    Browse the repository at this point in the history

  3. Merge pull request #751 from llelf/sec1 

    Straighten security
    Martin Cox authored Mar 8, 2019
    Configuration menu
    Copy the full SHA
    0001bdf View commit details
    Browse the repository at this point in the history

Commits on May 9, 2019

  1. Merge branch 'develop-3.0' into develop-2.9-3.0-merge

    Martin Cox authored May 9, 2019
    Configuration menu
    Copy the full SHA
    f906c4a View commit details
    Browse the repository at this point in the history