opendev/lodgeit
Code Issues Proposed changes

Security fix for possible private paste bruteforcing

Browse Source 
There was an ability to fetch private pastes by their numbers(paste_id)
which looks like security issue since could be used for bruteforcing.

Change-Id: I8e8bc9a05427a70b4203739e30a8fd8e532cfe96
Signed-off-by: Igor Shishkin <ishishkin@mirantis.com>
This commit is contained in:
Igor Shishkin 2015-08-28 14:58:15 +03:00
parent beb3ff7e26
commit 0ef0c909c3
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
lodgeit/controllers/pastes.py
View File

@ -88,7 +88,8 @@ class PasteController(object):
"""Show an existing paste.""" """Show an existing paste."""
linenos = local.request.args.get('linenos') != 'no' linenos = local.request.args.get('linenos') != 'no'
paste = Paste.get(identifier) paste = Paste.get(identifier)
if paste is None:
if (paste is None) or (paste.private and identifier.isdigit()):
raise NotFound() raise NotFound()
if raw: if raw:
return Response(paste.code, mimetype='text/plain; charset=utf-8') return Response(paste.code, mimetype='text/plain; charset=utf-8')