search

abhishek-ram / django-pyas2

AS2 file transfer Server built on Python and Django.
https://django-pyas2.readthedocs.io
GNU General Public License v3.0
83 stars 31 forks source link

Protect download endpoint and fix it for some database systems #23

Closed loop0 closed 4 years ago

loop0 commented 4 years ago

This PR fixes 2 issues:

The most important one is that the download view is unprotected and because the certificate id is serial it makes it very easy for an attacker to download the certificates without any authentication.

The second fix is that for some types of databases the download won't work because it will return a memory pointer instead of the actual content. As listed here: https://code.djangoproject.com/ticket/27813

codecov[bot] commented 4 years ago

Codecov Report

Merging #23 into master will increase coverage by 1.58%. The diff coverage is 100%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master      #23      +/-   ##
==========================================
+ Coverage   90.94%   92.52%   +1.58%     
==========================================
  Files          13       14       +1     
  Lines         983     1004      +21     
==========================================
+ Hits          894      929      +35     
+ Misses         89       75      -14
Impacted Files Coverage Δ
pyas2/tests/test_views.py 100% <100%> (ø)
pyas2/urls.py 100% <100%> (ø) :arrow_up:
pyas2/views.py 78.35% <100%> (+10.44%) :arrow_up:

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update e93212f...d8d8b61. Read the comment docs.

abhishek-ram commented 4 years ago

Good fix @loop0