charm-tools icon indicating copy to clipboard operation
charm-tools copied to clipboard
verified publisher icon juju

Interfaces and layers are served insecurely

Open stub42 opened this issue 10 years ago • 3 comments

'charm build' looks up layers and interfaces using plain HTTP from http://interfaces.juju.solutions, and is subject to various attacks potentially injecting malicious code into generated charms.

stub42 avatar Oct 28 '15 11:10 stub42

I've got some prelim code to wrap the services in charms. I should be able to switch back to this next week and land this. I'll get everything together and coordinate with @marcoceppi to do a launch during off-peak hours.

lazypower avatar May 04 '16 22:05 lazypower

Are there plans to fix this soon? Seems pretty serious, considering that charm hooks run as root. Can we get Let's Encrypt set up on whatever machine is hosting this site?

cmars avatar Aug 22 '16 20:08 cmars

@cmars there is, sorry I'm booked solid with demo prep, and the last few months have been hectic. The last deploy as a charm went sideways and i haven't picked it back up sicne. I'll move this behind traefik with automagic letsencrypt support. sound good? Give me a few more days to let the dust settle. Nobody else has stepped up to even tackle the issue comments yet.. and I apologize for the length of time it's taken to complete this line item, its up there but not the #1 burning fire for my team at the moment.

lazypower avatar Aug 22 '16 21:08 lazypower