default
0 3 0
Mads Kiilerich (kiilerix) - 2 years ago 2015-02-06 02:35:40
mads@kiilerich.com
[security fix] api: don't send internal data unless asked for it

This changeset fixes CVE-2015-0260.
See <https://kallithea-scm.org/security/cve-2015-0260.html>; for
more details.
3 files changed with 14 insertions and 11 deletions:
↑ Collapse Diff ↑
kallithea/model/db.py
...
 
@@ -627,7 +627,7 @@ class User(Base, BaseModel):
627 627
 
            raise Exception('Missing default account!')
628 628
 
        return user
629 629
 

	
630
 
    def get_api_data(self):
630
 
    def get_api_data(self, details=False):
631 631
 
        """
632 632
 
        Common function for generating user related data for API
633 633
 
        """
...
 
@@ -639,15 +639,18 @@ class User(Base, BaseModel):
639 639
 
            lastname=user.lastname,
640 640
 
            email=user.email,
641 641
 
            emails=user.emails,
642
 
            api_key=user.api_key,
643
 
            api_keys=user.api_keys,
644 642
 
            active=user.active,
645 643
 
            admin=user.admin,
646
 
            extern_type=user.extern_type,
647
 
            extern_name=user.extern_name,
648
 
            last_login=user.last_login,
649
 
            ip_addresses=user.ip_addresses
650 644
 
        )
645
 
        if details:
646
 
            data.update(dict(
647
 
                extern_type=user.extern_type,
648
 
                extern_name=user.extern_name,
649
 
                api_key=user.api_key,
650
 
                api_keys=user.api_keys,
651
 
                last_login=user.last_login,
652
 
                ip_addresses=user.ip_addresses
653
 
                ))
651 654
 
        return data
652 655
 

	
653 656
 
    def __json__(self):
kallithea/tests/functional/test_admin_users.py
...
 
@@ -129,7 +129,7 @@ class TestAdminUsersController(TestContr
129 129
 
                                  extern_name=self.test_user_1,
130 130
 
                                  skip_if_exists=True)
131 131
 
        Session().commit()
132
 
        params = usr.get_api_data()
132
 
        params = usr.get_api_data(True)
133 133
 
        params.update({'password_confirmation': ''})
134 134
 
        params.update({'new_password': ''})
135 135
 
        params.update(attrs)
...
 
@@ -149,7 +149,7 @@ class TestAdminUsersController(TestContr
149 149
 
        self.checkSessionFlash(response, 'User updated successfully')
150 150
 

	
151 151
 
        updated_user = User.get_by_username(self.test_user_1)
152
 
        updated_params = updated_user.get_api_data()
152
 
        updated_params = updated_user.get_api_data(True)
153 153
 
        updated_params.update({'password_confirmation': ''})
154 154
 
        updated_params.update({'new_password': ''})
155 155
 

	
kallithea/tests/functional/test_my_account.py
...
 
@@ -106,7 +106,7 @@ class TestMyAccountController(TestContro
106 106
 
                                  extern_type='internal',
107 107
 
                                  extern_name=self.test_user_1,
108 108
 
                                  skip_if_exists=True)
109
 
        params = usr.get_api_data()  # current user data
109
 
        params = usr.get_api_data(True)  # current user data
110 110
 
        user_id = usr.user_id
111 111
 
        self.log_user(username=self.test_user_1, password='qweqwe')
112 112
 

	
...
 
@@ -122,7 +122,7 @@ class TestMyAccountController(TestContro
122 122
 
                               'Your account was updated successfully')
123 123
 

	
124 124
 
        updated_user = User.get_by_username(self.test_user_1)
125
 
        updated_params = updated_user.get_api_data()
125
 
        updated_params = updated_user.get_api_data(True)
126 126
 
        updated_params.update({'password_confirmation': ''})
127 127
 
        updated_params.update({'new_password': ''})
128 128
 

	
0 comments (0 inline, 0 general)