Security fix for possible private paste bruteforcing

There was an ability to fetch private pastes by their numbers(paste_id) which looks like security issue since could be used for bruteforcing. Change-Id: I8e8bc9a05427a70b4203739e30a8fd8e532cfe96 Signed-off-by: Igor Shishkin <ishishkin@mirantis.com>
2015-08-28 14:58:15 +03:00 · 2015-08-28 14:58:15 +03:00 · 0ef0c909c3
parent beb3ff7e26
commit 0ef0c909c3
1 changed files with 2 additions and 1 deletions
--- a/lodgeit/controllers/pastes.py
+++ b/lodgeit/controllers/pastes.py
@ -88,7 +88,8 @@ class PasteController(object):
        """Show an existing paste."""
        linenos = local.request.args.get('linenos') != 'no'
        paste = Paste.get(identifier)
-        if paste is None:
+
+        if (paste is None) or (paste.private and identifier.isdigit()):
            raise NotFound()
        if raw:
            return Response(paste.code, mimetype='text/plain; charset=utf-8')