Put the cookie option at the end when using curl

[kapouik]

Pull Request (PR) description

When using curl to download, the --cookie option is currently put in first before --proxy or --insecure options. Sometimes, the content of cookie can broke all command put after (discover with the module puppetlabs/puppetlabs-java when you use the class java::oracle).
So I just change the options order to make it work.

This Pull Request (PR) fixes the following issues

No issue open

[ekohl]

The order shouldn't matter so I'm interested in how can it exactly breaks. Insufficient shell escaping? I wonder if that could be a remote root exploit since the remote has control over cookies.

[kapouik]

You can try this command :
curl http://download.oracle.com/otn-pub/java/jdk//7u80-b15/jdk-7u80-linux-x64.rpm -o /tmp/jdk-7u80-linux-x64.rpm_20180810-6773-1a6m96j -fsSL --max-redirs 5 --cookie gpw_e24=http%3A%2F%2Fwww.oracle.com%2F; --proxy http://127.0.0.1:3127
This command is generate from this file : https://github.com/puppetlabs/puppetlabs-java/blob/master/manifests/oracle.pp.
As it, --proxy is consider as a cookie argument.

[ekohl]

That does sound like it's not escaping and I'd consider that a security risk. On the other hand, it's already downloading code from a resource and executing it so in practice it's already trusting that remote server with full root access. Moving it to the end isn't a real solution because there could be multiple cookies in it after the semi-colon.

[bastelfreak]

Hi @kapouik, did you see the comment from @ekohl? I also assume that the rootcause is broken escaping somewhere.