Skip to content
This repository has been archived by the owner on Oct 4, 2019. It is now read-only.

Use HTTPS to reduce man-in-the-middle attack vector #269

Merged
merged 1 commit into from
Feb 13, 2019
Merged

Use HTTPS to reduce man-in-the-middle attack vector #269

merged 1 commit into from
Feb 13, 2019

Conversation

dglinder
Copy link
Contributor

The URL also works as "https://www.mls-software.com/files/setupssh-7.1p1-1.exe" so this would reduce potential for man-in-the-middle attacks compromising the build.

@dragetd
Copy link

dragetd commented Jan 4, 2019

I am kind of shocked to see that this is even a thing thoughout multiple points of the scripts. This is a high security risk. Searching for 'http:' shows some more results:

packer-windows/scripts/compact.bat

Line 2 in c4a111f

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://www.7-zip.org/a/7z920-x64.msi', 'C:\Windows\Temp\7z920-x64.msi')" <NUL

packer-windows/scripts/compact.bat

Line 7 in c4a111f

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://downloads.sourceforge.net/project/ultradefrag/stable-release/6.1.0/ultradefrag-portable-6.1.0.bin.amd64.zip', 'C:\Windows\Temp\ultradefrag.zip')" <NUL

packer-windows/scripts/puppet-enterprise.bat

Line 2 in c4a111f

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://pm.puppetlabs.com/puppet-enterprise/3.0.1/puppet-enterprise-3.0.1.msi', 'C:\Windows\Temp\puppet.msi')" <NUL

packer-windows/scripts/puppet.bat

Line 2 in c4a111f

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://downloads.puppetlabs.com/windows/puppet-3.6.2.msi', 'C:\Windows\Temp\puppet.msi')" <NUL

packer-windows/scripts/rsync.bat

Line 3 in c4a111f

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://www.7-zip.org/a/7z920-x64.msi', 'C:\Windows\Temp\7z920-x64.msi')" <NUL

packer-windows/scripts/rsync.bat

Line 8 in c4a111f

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://mirrors.kernel.org/sourceware/cygwin/x86_64/release/rsync/rsync-3.1.2-1.tar.xz', 'C:\Windows\Temp\rsync-3.1.2-1.tar.xz')" <NUL

packer-windows/scripts/vm-guest-tools.bat

Line 2 in c4a111f

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://www.7-zip.org/a/7z920-x64.msi', 'C:\Windows\Temp\7z920-x64.msi')" <NUL

packer-windows/scripts/vm-guest-tools.bat

Line 18 in c4a111f

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://softwareupdate.vmware.com/cds/vmw-desktop/ws/12.0.0/2985596/windows/packages/tools-windows.tar', 'C:\Windows\Temp\vmware-tools.tar')" <NUL

packer-windows/scripts/chef.bat

Line 2 in c4a111f

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://www.getchef.com/chef/install.msi', 'C:\Windows\Temp\chef.msi')" <NUL

packer-windows/scripts/openssh.ps1

Line 9 in c4a111f

$ssh_download_url = "http://www.mls-software.com/files/setupssh-7.1p1-1.exe"

This is not good!

@dragetd dragetd mentioned this pull request Jan 4, 2019
Open
@joefitzgerald joefitzgerald merged commit c87ab55 into joefitzgerald:master Feb 13, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dglinder @dragetd @joefitzgerald