opendev/lodgeit
Code Issues Proposed changes

Merge "Security fix for possible private paste bruteforcing"

Browse Source
This commit is contained in:
Jenkins 2015-11-17 10:04:31 +00:00 committed by Gerrit Code Review
commit 0939be787c
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
lodgeit/controllers/pastes.py
View File

@ -87,7 +87,8 @@ class PasteController(object):
"""Show an existing paste.""" """Show an existing paste."""
linenos = local.request.args.get('linenos') != 'no' linenos = local.request.args.get('linenos') != 'no'
paste = Paste.get(identifier) paste = Paste.get(identifier)
if paste is None:
if (paste is None) or (paste.private and identifier.isdigit()):
raise NotFound() raise NotFound()
if raw: if raw:
return Response(paste.code, mimetype='text/plain; charset=utf-8') return Response(paste.code, mimetype='text/plain; charset=utf-8')