Changeset - 81057be7a5c1
Parent rev.
Child rev.
[Not reviewed]
stable
0 2 0
Søren Løvborg - 10 years ago 2016-04-19 16:57:38
sorenl@unity3d.com
auth: properly invoke PermFunctions (CVE-2016-3114)

This fixes a vulnerability that allowed logged-in users to edit or
delete open pull requests associated with any repository to which
they had read access, plus a related vulnerability allowing logged-in
users to delete any comment from any repository, provided they could
determine the comment ID and had read access to just one repository.
2 files changed with 6 insertions and 6 deletions:
kallithea/controllers/changeset.py
4
4
kallithea/controllers/pullrequests.py
2
2
0 comments (0 inline, 0 general)
kallithea/controllers/changeset.py
Show inline comments
 
@@ -423,11 +423,11 @@ class ChangesetController(BaseRepoContro
 
                                   'repository.admin')
 
    @jsonify
 
    def delete_comment(self, repo_name, comment_id):
 
        co = ChangesetComment.get(comment_id)
 
        if not co:
 
            raise HTTPBadRequest()
 
        co = ChangesetComment.get_or_404(comment_id)
 
        if co.repo.repo_name != repo_name:
 
            raise HTTPNotFound()
 
        owner = co.author.user_id == c.authuser.user_id
 
        repo_admin = h.HasRepoPermissionAny('repository.admin')
 
        repo_admin = h.HasRepoPermissionAny('repository.admin')(repo_name)
 
        if h.HasPermissionAny('hg.admin')() or repo_admin or owner:
 
            ChangesetCommentsModel().delete(comment=co)
 
            Session().commit()
kallithea/controllers/pullrequests.py
Show inline comments
 
@@ -485,7 +485,7 @@ class PullrequestsController(BaseRepoCon
 
        #only owner or admin can update it
 
        owner = pull_request.owner.user_id == c.authuser.user_id
 
        repo_admin = h.HasRepoPermissionAny('repository.admin')(c.repo_name)
 
        if not (h.HasPermissionAny('hg.admin') or repo_admin or owner):
 
        if not (h.HasPermissionAny('hg.admin')() or repo_admin or owner):
 
            raise HTTPForbidden()
 

			




	
	
	
		
 
        _form = PullRequestPostForm()().to_python(request.POST)

			




	
	
		
 
@@ -788,7 +788,7 @@ class PullrequestsController(BaseRepoCon

			




	
	
	
		
 

			




	
	
	
		
 
        owner = co.author.user_id == c.authuser.user_id

			




	
	
	
		
 
        repo_admin = h.HasRepoPermissionAny('repository.admin')(c.repo_name)

			




	
	
	
		
 
        if h.HasPermissionAny('hg.admin') or repo_admin or owner:

			




	
	
	
		
 
        if h.HasPermissionAny('hg.admin')() or repo_admin or owner:

			




	
	
	
		
 
            ChangesetCommentsModel().delete(comment=co)

			




	
	
	
		
 
            Session().commit()

			




	
	
	
		
 
            return True

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.