mirror of https://github.com/prometheus/prometheus
Merge pull request from GHSA-vx57-7f4q-fpc7
* Do not remove /new because it is not part of the route parameter (CVE-2021-29622) Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu> * Release 2.27.1 Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu>pull/8841/head v2.27.1
parent
24c9b61221
commit
db7f0bcec2
12
CHANGELOG.md
12
CHANGELOG.md
|
@ -1,3 +1,15 @@
|
|||
## 2.27.1 / 2021-05-18
|
||||
|
||||
This release contains a bug fix for a security issue in the API endpoint. An
|
||||
attacker can craft a special URL that redirects a user to any endpoint via an
|
||||
HTTP 302 response. See the [security advisory][GHSA-vx57-7f4q-fpc7] for more details.
|
||||
|
||||
[GHSA-vx57-7f4q-fpc7]:https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7
|
||||
|
||||
This vulnerability has been reported by Aaron Devaney from MDSec.
|
||||
|
||||
* [BUGFIX] SECURITY: Fix arbitrary redirects under the /new endpoint (CVE-2021-29622)
|
||||
|
||||
## 2.27.0 / 2021-05-12
|
||||
|
||||
* [FEATURE] Promtool: Retroactive rule evaluation functionality. #7675
|
||||
|
|
|
@ -354,7 +354,7 @@ func New(logger log.Logger, o *Options) *Handler {
|
|||
// Redirect the original React UI's path (under "/new") to its new path at the root.
|
||||
router.Get("/new/*path", func(w http.ResponseWriter, r *http.Request) {
|
||||
p := route.Param(r.Context(), "path")
|
||||
http.Redirect(w, r, path.Join(o.ExternalURL.Path, strings.TrimPrefix(p, "/new"))+"?"+r.URL.RawQuery, http.StatusFound)
|
||||
http.Redirect(w, r, path.Join(o.ExternalURL.Path, p)+"?"+r.URL.RawQuery, http.StatusFound)
|
||||
})
|
||||
|
||||
router.Get("/classic/alerts", readyf(h.alerts))
|
||||
|
|
Loading…
Reference in New Issue