From 367bc70f568345911929fae80c54a9e1679e9441 Mon Sep 17 00:00:00 2001
From: Thomas Waldmann <tw@waldmann-edv.de>
Date: Sun, 10 Nov 2013 07:57:40 +0100
Subject: [PATCH] security fix: authenticating is not enough, hostname qs param
 (if given) also needs to match the username

---
 nsupdate/api/views.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/nsupdate/api/views.py b/nsupdate/api/views.py
index fbeffe2..9dda8dc 100644
--- a/nsupdate/api/views.py
+++ b/nsupdate/api/views.py
@@ -193,9 +193,15 @@ class NicUpdateView(View):
         if not check_api_auth(username, password):
             logger.info('%s - received bad credentials, username: %s' % (hostname, username, ))
             return basic_challenge("authenticate to update DNS", 'badauth')
+        logging.info("authenticated by update secret for host %s" % username)
         if hostname is None:
             # as we use update_username == hostname, we can fall back to that:
             hostname = username
+        elif hostname != username:
+            # trying to update a hostname given in querystring that doesn't
+            # match the username, which is required for us!
+            # maybe this host is owned by same person, but we can't know.
+            return Response('nohost')  # or 'badauth'?
         ipaddr = request.GET.get('myip')
         if ipaddr is None:
             ipaddr = request.META.get('REMOTE_ADDR')
@@ -232,6 +238,7 @@ class AuthorizedNicUpdateView(View):
         if not check_session_auth(request.user, hostname):
             logger.info('%s - is not owned by user: %s' % (hostname, request.user.username, ))
             return Response('nohost')
+        logging.info("authenticated by session as user %s, creator of host %s" % (request.user.username, hostname))
         ipaddr = request.GET.get('myip')
         if not ipaddr:
             ipaddr = request.META.get('REMOTE_ADDR')