From 7dcdfdfa66605e4cb2249746f2c157e768f3afe8 Mon Sep 17 00:00:00 2001 From: Victor Shyba Date: Wed, 30 Aug 2017 23:54:55 -0300 Subject: [bug] avoid cross uuid checks on incoming Incoming API is supposed to be able to, given a valid service token, write a incoming document into any user database. Leaving the parameter as 'uuid' triggers defensive code against unauthorized accesses between users. This commit renames the parameter so this isn't checked. -- Related: #8867 --- src/leap/soledad/server/auth.py | 1 + src/leap/soledad/server/url_mapper.py | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/src/leap/soledad/server/auth.py b/src/leap/soledad/server/auth.py index 89626ead..65e1adaf 100644 --- a/src/leap/soledad/server/auth.py +++ b/src/leap/soledad/server/auth.py @@ -123,6 +123,7 @@ class FileTokenChecker(object): line = line.strip() if not line.startswith('#'): service, token = line.split(':') + log.info("Loaded credentials for service: %s" % service) self._trusted_services_tokens[service] = token def requestAvatarId(self, credentials): diff --git a/src/leap/soledad/server/url_mapper.py b/src/leap/soledad/server/url_mapper.py index 423472b9..20f22510 100644 --- a/src/leap/soledad/server/url_mapper.py +++ b/src/leap/soledad/server/url_mapper.py @@ -78,4 +78,4 @@ class URLMapper(object): self._connect('/blobs/{uuid}/', ['GET']) # incoming resource - self._connect('/incoming/{uuid}/{incoming_id}', ['PUT']) + self._connect('/incoming/{target_user_uuid}/{incoming_id}', ['PUT']) -- cgit v1.2.3