mirror of
https://github.com/rcourtman/Pulse.git
synced 2026-07-09 16:00:59 +00:00
The agent self-updater's HTTP client followed redirects with no CheckRedirect policy. Go's net/http strips Authorization/Cookie on a cross-host redirect but forwards custom headers such as X-API-Token, so a cross-origin 30x from the operator-configured PulseURL (open redirect, compromised/hijacked server, DNS/BGP hijack, or a malicious provisioning URL) leaked the agent API token to the redirect target (CWE-200/CWE-522). Backport of the v6 fix: refuse to follow any redirect rather than re-sending the token. Covers both the getServerVersion version-check path and the binary-download path, with regression tests asserting the redirect target is never hit. Reported by tonghuaroot. |
||
|---|---|---|
| .. | ||
| coverage_test.go | ||
| restart_unix.go | ||
| restart_windows.go | ||
| update.go | ||
| update_http_test.go | ||
| update_test.go | ||