Merge "Security fix for possible private paste bruteforcing"

This commit is contained in:
Jenkins 2015-11-17 10:04:31 +00:00 committed by Gerrit Code Review
commit 0939be787c
1 changed files with 2 additions and 1 deletions

View File

@ -87,7 +87,8 @@ class PasteController(object):
"""Show an existing paste."""
linenos = local.request.args.get('linenos') != 'no'
paste = Paste.get(identifier)
if paste is None:
if (paste is None) or (paste.private and identifier.isdigit()):
raise NotFound()
if raw:
return Response(paste.code, mimetype='text/plain; charset=utf-8')