kallithea Changeset - 5923d7474287

Changeset - 5923d7474287

Parent rev.

Child rev.

[Not reviewed]

default

0 3 0

Mads Kiilerich - 11 years ago 2015-02-06 03:35:40
madski@unity3d.com

[security fix] api: don't send internal data unless asked for it

This changeset fixes CVE-2015-0260.
See <https://kallithea-scm.org/security/cve-2015-0260.html>; for
more details.

3 files changed with 11 insertions and 8 deletions:

kallithea/model/db.py

kallithea/tests/functional/test_admin_users.py

kallithea/tests/functional/test_my_account.py

0 comments (0 inline, 0 general)

kallithea/model/db.py

➞

Show inline comments

@@ @@ -624,33 +624,36 @@ class User(Base, BaseModel): @@
     def get_default_user(cls, cache=False):
         user = User.get_by_username(User.DEFAULT_USER, cache=cache)
         if user is None:
             raise Exception('Missing default account!')
         return user
     def get_api_data(self):
+    def get_api_data(self, details=False):
         """
         Common function for generating user related data for API
         """
         user = self
         data = dict(
             user_id=user.user_id,
             username=user.username,
             firstname=user.name,
             lastname=user.lastname,
             email=user.email,
             emails=user.emails,
             api_key=user.api_key,
             api_keys=user.api_keys,
             active=user.active,
             admin=user.admin,
+        )
         if details:
             data.update(dict(
             extern_type=user.extern_type,
             extern_name=user.extern_name,
                 api_key=user.api_key,
                 api_keys=user.api_keys,
             last_login=user.last_login,
             ip_addresses=user.ip_addresses
+        )
+                ))
         return data
     def __json__(self):
         data = dict(
             full_name=self.full_name,
             full_name_or_username=self.full_name_or_username,

kallithea/tests/functional/test_admin_users.py

➞

Show inline comments

@@ @@ -126,13 +126,13 @@ class TestAdminUsersController(TestContr @@
         usr = fixture.create_user(self.test_user_1, password='qweqwe',
                                   email='testme@example.com',
                                   extern_type='internal',
                                   extern_name=self.test_user_1,
                                   skip_if_exists=True)
         Session().commit()
         params = usr.get_api_data()
+        params = usr.get_api_data(True)
         params.update({'password_confirmation': ''})
         params.update({'new_password': ''})
         params.update(attrs)
         if name == 'email':
             params['emails'] = [attrs['email']]
         if name == 'extern_type':
@@ @@ -146,13 +146,13 @@ class TestAdminUsersController(TestContr @@
                                           # so we use creation data
         response = self.app.put(url('user', id=usr.user_id), params)
         self.checkSessionFlash(response, 'User updated successfully')
         updated_user = User.get_by_username(self.test_user_1)
         updated_params = updated_user.get_api_data()
+        updated_params = updated_user.get_api_data(True)
         updated_params.update({'password_confirmation': ''})
         updated_params.update({'new_password': ''})
         self.assertEqual(params, updated_params)
     def test_delete(self):

kallithea/tests/functional/test_my_account.py

➞

Show inline comments

@@ @@ -103,13 +103,13 @@ class TestMyAccountController(TestContro @@
     def test_my_account_update(self, name, attrs):
         usr = fixture.create_user(self.test_user_1, password='qweqwe',
                                   email='testme@example.com',
                                   extern_type='internal',
                                   extern_name=self.test_user_1,
                                   skip_if_exists=True)
         params = usr.get_api_data()  # current user data
+        params = usr.get_api_data(True)  # current user data
         user_id = usr.user_id
         self.log_user(username=self.test_user_1, password='qweqwe')
         params.update({'password_confirmation': ''})
         params.update({'new_password': ''})
         params.update({'extern_type': 'internal'})
@@ @@ -119,13 +119,13 @@ class TestMyAccountController(TestContro @@
         response = self.app.post(url('my_account'), params)
         self.checkSessionFlash(response,
                                'Your account was updated successfully')
         updated_user = User.get_by_username(self.test_user_1)
         updated_params = updated_user.get_api_data()
+        updated_params = updated_user.get_api_data(True)
         updated_params.update({'password_confirmation': ''})
         updated_params.update({'new_password': ''})
         params['last_login'] = updated_params['last_login']
         if name == 'email':
             params['emails'] = [attrs['email']]

0 comments (0 inline, 0 general)