external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 10:43:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: guard POST keywords & allow co-maintainers to see keyword form

Browse source 
This addresses a severe security issue, which is omitted from this
git message for obscurity purposes.

Otherwise, it allows co-maintainers to see the keyword form when
viewing a package they co-maintain.

Closes #378

Signed-off-by: Kevin Morris <kevr@0cost.org>
This commit is contained in:
Kevin Morris 2022-08-15 13:57:32 -07:00
parent 7b047578fd
commit 7a52da5587
No known key found for this signature in database
GPG key ID: F7E46DED420788F3
4 changed files with 28 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

6
aurweb/routers/pkgbase.py
View file

@ -96,6 +96,12 @@ async def pkgbase_keywords(request: Request, name: str,
keywords: str = Form(default=str())):
pkgbase = get_pkg_or_base(name, PackageBase)
approved = [pkgbase.Maintainer] + [c.User for c in pkgbase.comaintainers]
has_cred = creds.has_credential(request.user, creds.PKGBASE_SET_KEYWORDS,
approved=approved)
if not has_cred:
return Response(status_code=HTTPStatus.UNAUTHORIZED)
# Lowercase all keywords. Our database table is case insensitive,
# and providing CI duplicates of keywords is erroneous.
keywords = set(k.lower() for k in keywords.split())