forward port security fix from 0.9.1, fixes #177

2014-11-08 17:14:46 +01:00 · 2014-11-08 17:14:46 +01:00 · 04cc11f6d5
commit 04cc11f6d5
parent c7b1404c78
3 changed files with 29 additions and 13 deletions
--- a/CHANGES.rst
+++ b/CHANGES.rst
@ -27,6 +27,14 @@ Other changes:
 * misc. layout / UI improvments


+Release 0.9.1
+-------------
+
+Fixes:
+
+* fix security issue with "related hosts" / "service updaters", fixes #177
+
+
 Release 0.9.0
 -------------

--- a/nsupdate/main/templates/main/related_host_overview.html
+++ b/nsupdate/main/templates/main/related_host_overview.html
@ -5,10 +5,10 @@
    <div class="row">
        <div class="col-lg-12">
            <h3>{% trans "Related hosts" %}
-                <a href="{% url 'add_related_host' mpk %}" class="btn btn-primary btn-sm">{% trans "Add related host" %}</a>
+                <a href="{% url 'add_related_host' main_host.pk %}" class="btn btn-primary btn-sm">{% trans "Add related host" %}</a>
            </h3>
            <p>
-                {% trans "Main host:" %} <a href="{% url 'host_view' mpk %}">{{ main_host.get_fqdn }}</a>
+                {% trans "Main host:" %} <a href="{% url 'host_view' main_host.pk %}">{{ main_host.get_fqdn }}</a>
            </p>
            <table class="table">
            <thead>
@ -34,7 +34,7 @@
            {% for rh in related_hosts %}
                <tr>
                    <td>
-                        <a href="{% url 'related_host_view' mpk rh.pk %}">{{ rh }}</a>
+                        <a href="{% url 'related_host_view' main_host.pk rh.pk %}">{{ rh }}</a>
                        <br>
                        {{ rh.comment }}
                    </td>
--- a/nsupdate/main/views.py
+++ b/nsupdate/main/views.py
@ -300,14 +300,17 @@ class RelatedHostOverviewView(TemplateView):

    @method_decorator(login_required)
    def dispatch(self, *args, **kwargs):
+        try:
+            self.__main_host = Host.objects.get(pk=kwargs.pop('mpk', None), created_by=self.request.user)
+        except Host.DoesNotExist:
+            raise PermissionDenied()  # or Http404
        return super(RelatedHostOverviewView, self).dispatch(*args, **kwargs)

    def get_context_data(self, *args, **kwargs):
        context = super(RelatedHostOverviewView, self).get_context_data(*args, **kwargs)
        context['nav_overview'] = True
-        mpk = kwargs.get('mpk')
-        context['main_host'] = Host.objects.get(pk=mpk)
-        context['related_hosts'] = RelatedHost.objects.filter(main_host=mpk)
+        context['main_host'] = self.__main_host
+        context['related_hosts'] = RelatedHost.objects.filter(main_host=self.__main_host)
        return context


@ -318,7 +321,10 @@ class AddRelatedHostView(CreateView):

    @method_decorator(login_required)
    def dispatch(self, *args, **kwargs):
-        self.__main_host_pk = kwargs.pop('mpk')
+        try:
+            self.__main_host = Host.objects.get(pk=kwargs.pop('mpk', None), created_by=self.request.user)
+        except Host.DoesNotExist:
+            raise PermissionDenied()  # or Http404
        return super(AddRelatedHostView, self).dispatch(*args, **kwargs)

    def get_success_url(self):
@ -330,7 +336,7 @@ class AddRelatedHostView(CreateView):

    def form_valid(self, form):
        self.object = form.save(commit=False)
-        self.object.main_host = Host(pk=self.__main_host_pk)
+        self.object.main_host = self.__main_host
        self.object.save()
        success, level, msg = True, messages.SUCCESS, 'Related host added.'
        messages.add_message(self.request, level, msg)
@ -481,15 +487,18 @@ class UpdaterHostConfigOverviewView(CreateView):

    @method_decorator(login_required)
    def dispatch(self, *args, **kwargs):
-        self.__host_pk = kwargs.pop('pk', None)
+        try:
+            self.__host = Host.objects.get(pk=kwargs.pop('pk', None), created_by=self.request.user)
+        except Host.DoesNotExist:
+            raise PermissionDenied()  # or Http404
        return super(UpdaterHostConfigOverviewView, self).dispatch(*args, **kwargs)

    def get_success_url(self):
-        return reverse('updater_hostconfig_overview', args=(self.__host_pk,))
+        return reverse('updater_hostconfig_overview', args=(self.__host.pk, ))

    def form_valid(self, form):
        self.object = form.save(commit=False)
-        self.object.host = Host(pk=self.__host_pk)
+        self.object.host = self.__host
        self.object.created_by = self.request.user
        self.object.save()
        messages.add_message(self.request, messages.SUCCESS, 'Service Updater Host Configuration added.')
@ -498,8 +507,7 @@ class UpdaterHostConfigOverviewView(CreateView):
    def get_context_data(self, *args, **kwargs):
        context = super(
            UpdaterHostConfigOverviewView, self).get_context_data(*args, **kwargs)
-        context['updater_configs'] = ServiceUpdaterHostConfig.objects.filter(
-            host=self.__host_pk)
+        context['updater_configs'] = ServiceUpdaterHostConfig.objects.filter(host=self.__host)
        return context