diff options
| author | Jessica Tallon <jessica@megworld.co.uk> | 2014-07-31 20:33:04 +0100 |
|---|---|---|
| committer | Jessica Tallon <jessica@megworld.co.uk> | 2014-07-31 20:33:04 +0100 |
| commit | 8917ffb1e73ac8ed0fc825113593e5e5ca9b4573 (patch) | |
| tree | 440f74094d61ff74a3316b537eba9102162967a3 /mediagoblin/federation | |
| parent | 5e5d445890c6c555dff48b1613c285da983d71c8 (diff) | |
| download | mediagoblin-8917ffb1e73ac8ed0fc825113593e5e5ca9b4573.tar.lz mediagoblin-8917ffb1e73ac8ed0fc825113593e5e5ca9b4573.tar.xz mediagoblin-8917ffb1e73ac8ed0fc825113593e5e5ca9b4573.zip | |
Fix some security concerns regrding inpersonation in federation code.
Diffstat (limited to 'mediagoblin/federation')
| -rw-r--r-- | mediagoblin/federation/views.py | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/mediagoblin/federation/views.py b/mediagoblin/federation/views.py index a6912166..d3ded448 100644 --- a/mediagoblin/federation/views.py +++ b/mediagoblin/federation/views.py @@ -73,8 +73,16 @@ def uploads(request): if requested_user is None: return json_error("No such 'user' with id '{0}'".format(user), 404) - request.user = requested_user[0] + requested_user = requested_user[0] if request.method == "POST": + # Ensure that the user is only able to upload to their own + # upload endpoint. + if requested_user.id != request.user.id: + return json_error( + "Not able to post to another users feed.", + status=403 + ) + # Wrap the data in the werkzeug file wrapper if "Content-Type" not in request.headers: return json_error( @@ -107,12 +115,20 @@ def feed(request): if requested_user is None: return json_error("No such 'user' with id '{0}'".format(user), 404) - request.user = requested_user[0] + requested_user = requested_user[0] if request.data: data = json.loads(request.data) else: data = {"verb": None, "object": {}} + # We need to check that the user they're posting to is + # the person that they are. + if request.method in ["POST", "PUT"] and requested_user.id != request.user.id: + return json_error( + "Not able to post to another users feed.", + status=403 + ) + if request.method == "POST" and data["verb"] == "post": obj = data.get("object", None) if obj is None: |