[arvados] created: 2.6.0-213-gce87e00e6
git repository hosting
git at public.arvados.org
Thu Jun 1 13:53:03 UTC 2023
at ce87e00e68521ce49d7618676e4cffefa6b42b60 (commit)
commit ce87e00e68521ce49d7618676e4cffefa6b42b60
Author: Brett Smith <brett.smith at curii.com>
Date: Thu Jun 1 09:51:29 2023 -0400
20545: Drop If-None-Match from requests proxied by controller
See comments for rationale.
Arvados-DCO-1.1-Signed-off-by: Brett Smith <brett.smith at curii.com>
diff --git a/lib/controller/proxy.go b/lib/controller/proxy.go
index 47b8cb471..26d1859ec 100644
--- a/lib/controller/proxy.go
+++ b/lib/controller/proxy.go
@@ -45,6 +45,11 @@ var dropHeaders = map[string]bool{
// Content-Length depends on encoding.
"Content-Length": true,
+
+ // Defend against Rails vulnerability CVE-2023-22795 -
+ // we don't use this functionality anyway, so it costs us nothing.
+ // <https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118>
+ "If-None-Match": true,
}
type ResponseFilter func(*http.Response, error) (*http.Response, error)
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list