Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 21:47:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 117
fleet/server/contexts
History
jacobshandling 0eb8d432bf
Safely split incoming request headers, remove support for token presence in request body (#39427) 
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issues:**
- Prevents unbounded split length exploits similar to
https://nvd.nist.gov/vuln/detail/CVE-2025-30204
- Also removes parsing of request body for token, see
https://github.com/fleetdm/fleet/issues/39659
- @iansltx I figured since this PR updates the code blocks in question,
makes sense to [remove the body parsing
here](https://github.com/fleetdm/fleet/pull/39427/changes#diff-83b0d73af21e81cf2c5ed4448718d0760543699fe6e36e401372467befea29edL30-L33),
and clean up the [related dead
code](c1e3e89b5f/frontend/services/entities/installers.ts (L13))
in a follow-up

See https://fleetdm.slack.com/archives/C019WG4GH0A/p1770322925865209

- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
2026-02-18 08:50:04 -08:00
..
apple_bm feat: enable multiple ABM and VPP tokens (#21693) 2024-08-29 18:51:46 -04:00
authz Add new self-service auth method for iOS/iPadOS (#36659) 2025-12-05 10:16:46 -05:00
capabilities add headers denoting capabilities between fleet server / desktop / orbit (#7833) 2022-09-26 07:53:53 -03:00
carvestore Authenticate carve block endpoint before parsing the "data" field (#39353) 2026-02-05 15:55:03 -03:00
certserial My device page (self-service) for iOS/iPadOS (#35238) 2025-11-07 17:30:51 -05:00
ctxdb Fix edge case of AppConfig changes getting lost in cached mysql. (#15352) 2023-11-29 10:09:37 -05:00
ctxerr Improved OpenTelemetry error handling (#38757) 2026-01-26 17:07:32 -06:00
host Refactor endpoint_utils for modularization (#36484) 2025-12-31 09:12:00 -06:00
installersize Request body limits (#39080) 2026-02-05 10:29:53 -05:00
license Refactor endpoint_utils for modularization (#36484) 2025-12-31 09:12:00 -06:00
logging Migrate HTTP request logging from go-kit/log to slog (#39729) 2026-02-14 13:04:41 -06:00
publicip Add public ip to hosts & derive geolocation when rendering host (#4652) 2022-03-21 12:29:52 -04:00
token Safely split incoming request headers, remove support for token presence in request body (#39427) 2026-02-18 08:50:04 -08:00
viewer Activity bounded context: /api/latest/fleet/activities (2 of 2) (#38478) 2026-01-23 07:42:09 -06:00