##// END OF EJS Templates
security: use 404 instead of 403 code on permission decorator to prevent resource discovery attacks.
ergo -
r1817:7df55c97 default
parent child Browse files
Show More
@@ -34,7 +34,7 b' import traceback'
34 from functools import wraps
34 from functools import wraps
35
35
36 import ipaddress
36 import ipaddress
37 from pyramid.httpexceptions import HTTPForbidden, HTTPFound
37 from pyramid.httpexceptions import HTTPForbidden, HTTPFound, HTTPNotFound
38 from pylons.i18n.translation import _
38 from pylons.i18n.translation import _
39 # NOTE(marcink): this has to be removed only after pyramid migration,
39 # NOTE(marcink): this has to be removed only after pyramid migration,
40 # replace with _ = request.translate
40 # replace with _ = request.translate
@@ -1415,8 +1415,8 b' class PermsDecorator(object):'
1415 h.route_path('login', _query={'came_from': came_from}))
1415 h.route_path('login', _query={'came_from': came_from}))
1416
1416
1417 else:
1417 else:
1418 # redirect with forbidden ret code
1418 # redirect with 404 to prevent resource discovery
1419 raise HTTPForbidden()
1419 raise HTTPNotFound()
1420
1420
1421 def check_permissions(self, user):
1421 def check_permissions(self, user):
1422 """Dummy function for overriding"""
1422 """Dummy function for overriding"""
@@ -462,7 +462,7 b' class TestOpenSourceLicenses(object):'
462 '.panel-heading', 'Licenses of Third Party Packages')
462 '.panel-heading', 'Licenses of Third Party Packages')
463
463
464 def test_forbidden_when_normal_user(self, autologin_regular_user):
464 def test_forbidden_when_normal_user(self, autologin_regular_user):
465 self.app.get(self._get_url(), status=403)
465 self.app.get(self._get_url(), status=404)
466
466
467
467
468 @pytest.mark.usefixtures('app')
468 @pytest.mark.usefixtures('app')
@@ -475,7 +475,7 b' class TestUserSessions(object):'
475 }[name]
475 }[name]
476
476
477 def test_forbidden_when_normal_user(self, autologin_regular_user):
477 def test_forbidden_when_normal_user(self, autologin_regular_user):
478 self.app.get(self._get_url(), status=403)
478 self.app.get(self._get_url(), status=404)
479
479
480 def test_show_sessions_page(self, autologin_user):
480 def test_show_sessions_page(self, autologin_user):
481 response = self.app.get(self._get_url(), status=200)
481 response = self.app.get(self._get_url(), status=200)
@@ -502,7 +502,7 b' class TestAdminSystemInfo(object):'
502 }[name]
502 }[name]
503
503
504 def test_forbidden_when_normal_user(self, autologin_regular_user):
504 def test_forbidden_when_normal_user(self, autologin_regular_user):
505 self.app.get(self._get_url(), status=403)
505 self.app.get(self._get_url(), status=404)
506
506
507 def test_system_info_page(self, autologin_user):
507 def test_system_info_page(self, autologin_user):
508 response = self.app.get(self._get_url())
508 response = self.app.get(self._get_url())
@@ -75,7 +75,7 b' class _BaseTest(TestController):'
75 repo_name = self.REPO
75 repo_name = self.REPO
76 self.app.post(
76 self.app.post(
77 url(controller='forks', action='fork_create', repo_name=repo_name),
77 url(controller='forks', action='fork_create', repo_name=repo_name),
78 {'csrf_token': self.csrf_token}, status=403)
78 {'csrf_token': self.csrf_token}, status=404)
79
79
80 def test_index_with_fork(self):
80 def test_index_with_fork(self):
81 self.log_user()
81 self.log_user()
General Comments 0
You need to be logged in to leave comments. Login now