Changeset - 5923d7474287
[Not reviewed]
default
0 3 0
Mads Kiilerich (kiilerix) - 4 years ago 2015-02-06 02:35:40
mads@kiilerich.com
[security fix] api: don't send internal data unless asked for it

This changeset fixes CVE-2015-0260.
See <https://kallithea-scm.org/security/cve-2015-0260.html>; for
more details.
3 files changed with 14 insertions and 11 deletions:
0 comments (0 inline, 0 general)
kallithea/model/db.py
Show inline comments
...
 
@@ -627,7 +627,7 @@ class User(Base, BaseModel):
 
            raise Exception('Missing default account!')
 
        return user
 

	
 
    def get_api_data(self):
 
    def get_api_data(self, details=False):
 
        """
 
        Common function for generating user related data for API
 
        """
...
 
@@ -639,15 +639,18 @@ class User(Base, BaseModel):
 
            lastname=user.lastname,
 
            email=user.email,
 
            emails=user.emails,
 
            api_key=user.api_key,
 
            api_keys=user.api_keys,
 
            active=user.active,
 
            admin=user.admin,
 
            extern_type=user.extern_type,
 
            extern_name=user.extern_name,
 
            last_login=user.last_login,
 
            ip_addresses=user.ip_addresses
 
        )
 
        if details:
 
            data.update(dict(
 
                extern_type=user.extern_type,
 
                extern_name=user.extern_name,
 
                api_key=user.api_key,
 
                api_keys=user.api_keys,
 
                last_login=user.last_login,
 
                ip_addresses=user.ip_addresses
 
                ))
 
        return data
 

	
 
    def __json__(self):
kallithea/tests/functional/test_admin_users.py
Show inline comments
...
 
@@ -129,7 +129,7 @@ class TestAdminUsersController(TestContr
 
                                  extern_name=self.test_user_1,
 
                                  skip_if_exists=True)
 
        Session().commit()
 
        params = usr.get_api_data()
 
        params = usr.get_api_data(True)
 
        params.update({'password_confirmation': ''})
 
        params.update({'new_password': ''})
 
        params.update(attrs)
...
 
@@ -149,7 +149,7 @@ class TestAdminUsersController(TestContr
 
        self.checkSessionFlash(response, 'User updated successfully')
 

	
 
        updated_user = User.get_by_username(self.test_user_1)
 
        updated_params = updated_user.get_api_data()
 
        updated_params = updated_user.get_api_data(True)
 
        updated_params.update({'password_confirmation': ''})
 
        updated_params.update({'new_password': ''})
 

	
kallithea/tests/functional/test_my_account.py
Show inline comments
...
 
@@ -106,7 +106,7 @@ class TestMyAccountController(TestContro
 
                                  extern_type='internal',
 
                                  extern_name=self.test_user_1,
 
                                  skip_if_exists=True)
 
        params = usr.get_api_data()  # current user data
 
        params = usr.get_api_data(True)  # current user data
 
        user_id = usr.user_id
 
        self.log_user(username=self.test_user_1, password='qweqwe')
 

	
...
 
@@ -122,7 +122,7 @@ class TestMyAccountController(TestContro
 
                               'Your account was updated successfully')
 

	
 
        updated_user = User.get_by_username(self.test_user_1)
 
        updated_params = updated_user.get_api_data()
 
        updated_params = updated_user.get_api_data(True)
 
        updated_params.update({'password_confirmation': ''})
 
        updated_params.update({'new_password': ''})
 

	
0 comments (0 inline, 0 general)