YunoHost/yunodevtools
1
0
Fork 0
mirror of https://github.com/YunoHost/yunodevtools.git synced 2024-09-03 20:16:19 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

appstore: oopsies, we did no check of discourse's signature meaning people could impersonate anybody /o\

Browse source
This commit is contained in:
Alexandre Aubin 2023-09-25 21:20:29 +02:00
parent 07b3315f46
commit dda9878bc2
1 changed files with 12 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
store/app.py
View file

@ -257,7 +257,7 @@ def add_to_wishlist():
author = InputGitAuthor(config["GITHUB_LOGIN"], config["GITHUB_EMAIL"]) author = InputGitAuthor(config["GITHUB_LOGIN"], config["GITHUB_EMAIL"])
repo = github.get_repo("Yunohost/apps") repo = github.get_repo("Yunohost/apps")
current_wishlist_rawtoml = repo.get_contents( current_wishlist_rawtoml = repo.get_contents(
"wishlist.toml", ref=repo.default_branch) "wishlist.toml", ref=repo.default_branch
) )
current_wishlist_sha = current_wishlist_rawtoml.sha current_wishlist_sha = current_wishlist_rawtoml.sha
current_wishlist_rawtoml = current_wishlist_rawtoml.decoded_content.decode() current_wishlist_rawtoml = current_wishlist_rawtoml.decoded_content.decode()
@ -391,7 +391,18 @@ def login_using_discourse():
@app.route("/sso_login_callback") @app.route("/sso_login_callback")
def sso_login_callback(): def sso_login_callback():
computed_sig = hmac.new(
config["DISCOURSE_SSO_SECRET"].encode(),
msg=request.args["sso"].encode(),
digestmod=hashlib.sha256,
).hexdigest()
if computed_sig != request.args["sig"]:
return "Invalid signature from discourse!?", 401
response = base64.b64decode(request.args["sso"].encode()).decode() response = base64.b64decode(request.args["sso"].encode()).decode()
user_data = urllib.parse.parse_qs(response) user_data = urllib.parse.parse_qs(response)
if user_data["nonce"][0] != session.get("nonce"): if user_data["nonce"][0] != session.get("nonce"):
return "Invalid nonce", 401 return "Invalid nonce", 401