From 0ef0c909c3ef3595146a4e8a1dfb5320ddaa0a8f Mon Sep 17 00:00:00 2001
From: Igor Shishkin <ishishkin@mirantis.com>
Date: Fri, 28 Aug 2015 14:58:15 +0300
Subject: [PATCH] Security fix for possible private paste bruteforcing

There was an ability to fetch private pastes by their numbers(paste_id)
which looks like security issue since could be used for bruteforcing.

Change-Id: I8e8bc9a05427a70b4203739e30a8fd8e532cfe96
Signed-off-by: Igor Shishkin <ishishkin@mirantis.com>
---
 lodgeit/controllers/pastes.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lodgeit/controllers/pastes.py b/lodgeit/controllers/pastes.py
index 085f95d..ef71958 100644
--- a/lodgeit/controllers/pastes.py
+++ b/lodgeit/controllers/pastes.py
@@ -88,7 +88,8 @@ class PasteController(object):
         """Show an existing paste."""
         linenos = local.request.args.get('linenos') != 'no'
         paste = Paste.get(identifier)
-        if paste is None:
+
+        if (paste is None) or (paste.private and identifier.isdigit()):
             raise NotFound()
         if raw:
             return Response(paste.code, mimetype='text/plain; charset=utf-8')