Mercurial > kallithea
changeset 5810:81057be7a5c1 stable
auth: properly invoke PermFunctions (CVE-2016-3114)
This fixes a vulnerability that allowed logged-in users to edit or
delete open pull requests associated with any repository to which
they had read access, plus a related vulnerability allowing logged-in
users to delete any comment from any repository, provided they could
determine the comment ID and had read access to just one repository.
author | Søren Løvborg <sorenl@unity3d.com> |
---|---|
date | Tue, 19 Apr 2016 16:57:38 +0200 |
parents | 93b512845dab |
children | 9b74296e6af6 |
files | kallithea/controllers/changeset.py kallithea/controllers/pullrequests.py |
diffstat | 2 files changed, 6 insertions(+), 6 deletions(-) [+] |
line wrap: on
line diff
--- a/kallithea/controllers/changeset.py Mon Feb 22 10:18:27 2016 +0100 +++ b/kallithea/controllers/changeset.py Tue Apr 19 16:57:38 2016 +0200 @@ -423,11 +423,11 @@ 'repository.admin') @jsonify def delete_comment(self, repo_name, comment_id): - co = ChangesetComment.get(comment_id) - if not co: - raise HTTPBadRequest() + co = ChangesetComment.get_or_404(comment_id) + if co.repo.repo_name != repo_name: + raise HTTPNotFound() owner = co.author.user_id == c.authuser.user_id - repo_admin = h.HasRepoPermissionAny('repository.admin') + repo_admin = h.HasRepoPermissionAny('repository.admin')(repo_name) if h.HasPermissionAny('hg.admin')() or repo_admin or owner: ChangesetCommentsModel().delete(comment=co) Session().commit()
--- a/kallithea/controllers/pullrequests.py Mon Feb 22 10:18:27 2016 +0100 +++ b/kallithea/controllers/pullrequests.py Tue Apr 19 16:57:38 2016 +0200 @@ -485,7 +485,7 @@ #only owner or admin can update it owner = pull_request.owner.user_id == c.authuser.user_id repo_admin = h.HasRepoPermissionAny('repository.admin')(c.repo_name) - if not (h.HasPermissionAny('hg.admin') or repo_admin or owner): + if not (h.HasPermissionAny('hg.admin')() or repo_admin or owner): raise HTTPForbidden() _form = PullRequestPostForm()().to_python(request.POST) @@ -788,7 +788,7 @@ owner = co.author.user_id == c.authuser.user_id repo_admin = h.HasRepoPermissionAny('repository.admin')(c.repo_name) - if h.HasPermissionAny('hg.admin') or repo_admin or owner: + if h.HasPermissionAny('hg.admin')() or repo_admin or owner: ChangesetCommentsModel().delete(comment=co) Session().commit() return True