Mercurial > kallithea
changeset 4804:5923d7474287
[security fix] api: don't send internal data unless asked for it
This changeset fixes CVE-2015-0260.
See <https://kallithea-scm.org/security/cve-2015-0260.html> for
more details.
author | Mads Kiilerich <madski@unity3d.com> |
---|---|
date | Fri, 06 Feb 2015 03:35:40 +0100 |
parents | 9df497f29cf2 |
children | 3078f33e13d3 |
files | kallithea/model/db.py kallithea/tests/functional/test_admin_users.py kallithea/tests/functional/test_my_account.py |
diffstat | 3 files changed, 14 insertions(+), 11 deletions(-) [+] |
line wrap: on
line diff
--- a/kallithea/model/db.py Thu Jan 29 21:49:02 2015 +0100 +++ b/kallithea/model/db.py Fri Feb 06 03:35:40 2015 +0100 @@ -627,7 +627,7 @@ raise Exception('Missing default account!') return user - def get_api_data(self): + def get_api_data(self, details=False): """ Common function for generating user related data for API """ @@ -639,15 +639,18 @@ lastname=user.lastname, email=user.email, emails=user.emails, - api_key=user.api_key, - api_keys=user.api_keys, active=user.active, admin=user.admin, - extern_type=user.extern_type, - extern_name=user.extern_name, - last_login=user.last_login, - ip_addresses=user.ip_addresses ) + if details: + data.update(dict( + extern_type=user.extern_type, + extern_name=user.extern_name, + api_key=user.api_key, + api_keys=user.api_keys, + last_login=user.last_login, + ip_addresses=user.ip_addresses + )) return data def __json__(self):
--- a/kallithea/tests/functional/test_admin_users.py Thu Jan 29 21:49:02 2015 +0100 +++ b/kallithea/tests/functional/test_admin_users.py Fri Feb 06 03:35:40 2015 +0100 @@ -129,7 +129,7 @@ extern_name=self.test_user_1, skip_if_exists=True) Session().commit() - params = usr.get_api_data() + params = usr.get_api_data(True) params.update({'password_confirmation': ''}) params.update({'new_password': ''}) params.update(attrs) @@ -149,7 +149,7 @@ self.checkSessionFlash(response, 'User updated successfully') updated_user = User.get_by_username(self.test_user_1) - updated_params = updated_user.get_api_data() + updated_params = updated_user.get_api_data(True) updated_params.update({'password_confirmation': ''}) updated_params.update({'new_password': ''})
--- a/kallithea/tests/functional/test_my_account.py Thu Jan 29 21:49:02 2015 +0100 +++ b/kallithea/tests/functional/test_my_account.py Fri Feb 06 03:35:40 2015 +0100 @@ -106,7 +106,7 @@ extern_type='internal', extern_name=self.test_user_1, skip_if_exists=True) - params = usr.get_api_data() # current user data + params = usr.get_api_data(True) # current user data user_id = usr.user_id self.log_user(username=self.test_user_1, password='qweqwe') @@ -122,7 +122,7 @@ 'Your account was updated successfully') updated_user = User.get_by_username(self.test_user_1) - updated_params = updated_user.get_api_data() + updated_params = updated_user.get_api_data(True) updated_params.update({'password_confirmation': ''}) updated_params.update({'new_password': ''})