Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-24 09:28:54 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 30
23998 commits 3355 branches 577 tags 2.4 GiB
Commit graph

8 commits

Author SHA1 Message Date
jacobshandling
0eb8d432bf
Safely split incoming request headers, remove support for token presence in request body (#39427) 
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issues:**
- Prevents unbounded split length exploits similar to
https://nvd.nist.gov/vuln/detail/CVE-2025-30204
- Also removes parsing of request body for token, see
https://github.com/fleetdm/fleet/issues/39659
- @iansltx I figured since this PR updates the code blocks in question,
makes sense to [remove the body parsing
here](https://github.com/fleetdm/fleet/pull/39427/changes#diff-83b0d73af21e81cf2c5ed4448718d0760543699fe6e36e401372467befea29edL30-L33),
and clean up the [related dead
code](c1e3e89b5f/frontend/services/entities/installers.ts (L13))
in a follow-up

See https://fleetdm.slack.com/archives/C019WG4GH0A/p1770322925865209

- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
 2026-02-18 08:50:04 -08:00
Frank Sievertsen
dd8cf37a85
#7624 accept empty bearer authorization token. (#7685) 
* Fix #7624 accept empty bearer authorization token.

* add changes file
 2022-09-12 16:09:41 +02:00
Roberto Dip
8acf14ab43
adjust installers endpoint to avoid AJAX downloads (#7226) 
Related to #7206, this delegates the handling of the download to the browser
 2022-08-16 12:54:41 -03:00
Zach Wasserman
db459d3363
Continue to update names in backend code and docs (#976) 2021-06-06 16:58:23 -07:00
Zachary Wasserman
715d908613 Update go-kit to 0.4.0 (#1411) 
Notable refactoring:
- Use stdlib "context" in place of "golang.org/x/net/context"
- Go-kit no longer wraps errors, so we remove the unwrap in transport_error.go
- Use MakeHandler when setting up endpoint tests (fixes test bug caught during
  this refactoring)

Closes #1411.
 2017-03-15 08:55:30 -07:00
Mike Arpaia
a047ef2211 Quick contexts additions (#739) 
* Defining a concrete type for session tokens

* More rightish vc.IsLoggedIn()

* using type conversion instead of a method call

* include sessions in test viewer contexts
 2017-01-09 08:10:02 -07:00
Zachary Wasserman
0faa3a55fb Make context imports consistent (#359) 2016-10-31 15:18:05 -07:00
Victor Vrantchan
372dac8304 Create context packages (#228) 
add token context package
add viewer context package
add host context package
update authenticated middleware to set viewer context or return error
re-organize API handler
 2016-09-26 13:14:39 -04:00