# HG changeset patch
# User Søren Løvborg <sorenl@unity3d.com>
# Date 2016-04-19 16:57:38
# Node ID 81057be7a5c10e1cd08d32c923468e41cf417ed1
# Parent  93b512845dab0f6a950df7c5bb1ccdeaffd5e386

auth: properly invoke PermFunctions (CVE-2016-3114)

This fixes a vulnerability that allowed logged-in users to edit or
delete open pull requests associated with any repository to which
they had read access, plus a related vulnerability allowing logged-in
users to delete any comment from any repository, provided they could
determine the comment ID and had read access to just one repository.

diff --git a/kallithea/controllers/changeset.py b/kallithea/controllers/changeset.py
--- a/kallithea/controllers/changeset.py
+++ b/kallithea/controllers/changeset.py
@@ -423,11 +423,11 @@ class ChangesetController(BaseRepoContro
                                    'repository.admin')
     @jsonify
     def delete_comment(self, repo_name, comment_id):
-        co = ChangesetComment.get(comment_id)
-        if not co:
-            raise HTTPBadRequest()
+        co = ChangesetComment.get_or_404(comment_id)
+        if co.repo.repo_name != repo_name:
+            raise HTTPNotFound()
         owner = co.author.user_id == c.authuser.user_id
-        repo_admin = h.HasRepoPermissionAny('repository.admin')
+        repo_admin = h.HasRepoPermissionAny('repository.admin')(repo_name)
         if h.HasPermissionAny('hg.admin')() or repo_admin or owner:
             ChangesetCommentsModel().delete(comment=co)
             Session().commit()
diff --git a/kallithea/controllers/pullrequests.py b/kallithea/controllers/pullrequests.py
--- a/kallithea/controllers/pullrequests.py
+++ b/kallithea/controllers/pullrequests.py
@@ -485,7 +485,7 @@ class PullrequestsController(BaseRepoCon
         #only owner or admin can update it
         owner = pull_request.owner.user_id == c.authuser.user_id
         repo_admin = h.HasRepoPermissionAny('repository.admin')(c.repo_name)
-        if not (h.HasPermissionAny('hg.admin') or repo_admin or owner):
+        if not (h.HasPermissionAny('hg.admin')() or repo_admin or owner):
             raise HTTPForbidden()
 
         _form = PullRequestPostForm()().to_python(request.POST)
@@ -788,7 +788,7 @@ class PullrequestsController(BaseRepoCon
 
         owner = co.author.user_id == c.authuser.user_id
         repo_admin = h.HasRepoPermissionAny('repository.admin')(c.repo_name)
-        if h.HasPermissionAny('hg.admin') or repo_admin or owner:
+        if h.HasPermissionAny('hg.admin')() or repo_admin or owner:
             ChangesetCommentsModel().delete(comment=co)
             Session().commit()
             return True