mirror of https://github.com/prometheus/prometheus
Merge pull request from GHSA-vx57-7f4q-fpc7
* Do not remove /new because it is not part of the route parameter (CVE-2021-29622) Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu> * Release 2.27.1 Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu>pull/8841/head v2.27.1
parent
24c9b61221
commit
db7f0bcec2
12
CHANGELOG.md
12
CHANGELOG.md
|
@ -1,3 +1,15 @@
|
||||||
|
## 2.27.1 / 2021-05-18
|
||||||
|
|
||||||
|
This release contains a bug fix for a security issue in the API endpoint. An
|
||||||
|
attacker can craft a special URL that redirects a user to any endpoint via an
|
||||||
|
HTTP 302 response. See the [security advisory][GHSA-vx57-7f4q-fpc7] for more details.
|
||||||
|
|
||||||
|
[GHSA-vx57-7f4q-fpc7]:https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7
|
||||||
|
|
||||||
|
This vulnerability has been reported by Aaron Devaney from MDSec.
|
||||||
|
|
||||||
|
* [BUGFIX] SECURITY: Fix arbitrary redirects under the /new endpoint (CVE-2021-29622)
|
||||||
|
|
||||||
## 2.27.0 / 2021-05-12
|
## 2.27.0 / 2021-05-12
|
||||||
|
|
||||||
* [FEATURE] Promtool: Retroactive rule evaluation functionality. #7675
|
* [FEATURE] Promtool: Retroactive rule evaluation functionality. #7675
|
||||||
|
|
|
@ -354,7 +354,7 @@ func New(logger log.Logger, o *Options) *Handler {
|
||||||
// Redirect the original React UI's path (under "/new") to its new path at the root.
|
// Redirect the original React UI's path (under "/new") to its new path at the root.
|
||||||
router.Get("/new/*path", func(w http.ResponseWriter, r *http.Request) {
|
router.Get("/new/*path", func(w http.ResponseWriter, r *http.Request) {
|
||||||
p := route.Param(r.Context(), "path")
|
p := route.Param(r.Context(), "path")
|
||||||
http.Redirect(w, r, path.Join(o.ExternalURL.Path, strings.TrimPrefix(p, "/new"))+"?"+r.URL.RawQuery, http.StatusFound)
|
http.Redirect(w, r, path.Join(o.ExternalURL.Path, p)+"?"+r.URL.RawQuery, http.StatusFound)
|
||||||
})
|
})
|
||||||
|
|
||||||
router.Get("/classic/alerts", readyf(h.alerts))
|
router.Get("/classic/alerts", readyf(h.alerts))
|
||||||
|
|
Loading…
Reference in New Issue