bug / pagure

Clone
Source Code
GIT

446bcc Make API endpoint for creating new git branch have its own ACL

Authored and Committed by Pierre-Yves Chibon 6 years ago
raw patch tree parent
2 files changed. 7 lines added. 1 lines removed.
pagure/api/project.py
file modified
+5 -1
pagure/default_config.py
file modified
+2 -0 
    Make API endpoint for creating new git branch have its own ACL
    
    Basically, that API endpoint was relying on the modify_project ACL which
    is a public ACL so users can update descriptions of their projects.
    It's also an ACL that can be created with non-project specific API token
    thus making anyone's API token with this ACL able to create new git
    branches in any project.
    
    This fixes CVE: CVE-2018-1002151
    
    Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr></pingou@pingoured.fr>
file modified
+5 -1
file modified
+2 -0

Powered by Pagure 5.7.4

SSH Hostkey/Fingerprint | Documentation | About

© 2014-2019 Red Hat, Inc. and others.

Logo by Pavel Lashutin