Description of problem:

Satellite hosts can access custom repositories/rpms via curl which is not included in the assigned Content View/Activation Key.

Note
Customer had the unprotected set to false for their custom content and still seeing content on HTTP
 

How reproducible:

100%

Is this issue a regression from an earlier version:

No

Steps to Reproduce:

1. Create a custom repository.

2. Create a content view and add just RHEL 8/9 AppStream and BaseOS repositories depending on the host version.

3. Create an Activation Key and assign the same content view to it.

4. Register a host to the Satellite using the same Activation Key

5. On the host, curl the Satellite url:

~~~~

$ curl https://satellite.example.com/pulp/content/Organization/LCE/

<html>

<head><title>Index of Organization/LCE/</title></head>

<body bgcolor="white">

<h1>Index of Organization/LCE/</h1>

<hr><pre><a href="../">../</a>

<a href="custom/">custom/</a>                                                                                               

</pre><hr></body>

</html>

~~~~

Actual behavior:
The host is able to access the custom product added to the Satellite:

~~~~

$ curl -O https://satellite.example.com/pulp/content/Organization/LCE/custom/custom_product/custom_repository/Packages/version_number/rpm_name.rpm

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current

                                                         Dload  Upload   Total   Spent    Left  Speed

   100 29516  100 29516    0     0   543k      0 {}:{}:{} {}:{}:{} {}:{}:{}  543k

~~~~

Expected behavior:
The host should not be able to access any data other than what is assigned in the content view.

Business Impact / Additional info:

• Possible security risk.
• Also, the custom products created by the customer are for only a certain numbers of hosts, as the custom products are not open-source and cost money, and aren't meant to be accessible by all the registered hosts.