Closed loop0 closed 4 years ago
Merging #23 into master will increase coverage by
1.58%
. The diff coverage is100%
.
@@ Coverage Diff @@
## master #23 +/- ##
==========================================
+ Coverage 90.94% 92.52% +1.58%
==========================================
Files 13 14 +1
Lines 983 1004 +21
==========================================
+ Hits 894 929 +35
+ Misses 89 75 -14
Impacted Files | Coverage Δ | |
---|---|---|
pyas2/tests/test_views.py | 100% <100%> (ø) |
|
pyas2/urls.py | 100% <100%> (ø) |
:arrow_up: |
pyas2/views.py | 78.35% <100%> (+10.44%) |
:arrow_up: |
Continue to review full report at Codecov.
Legend - Click here to learn more
Δ = absolute <relative> (impact)
,ø = not affected
,? = missing data
Powered by Codecov. Last update e93212f...d8d8b61. Read the comment docs.
Good fix @loop0
This PR fixes 2 issues:
The most important one is that the download view is unprotected and because the certificate id is serial it makes it very easy for an attacker to download the certificates without any authentication.
The second fix is that for some types of databases the download won't work because it will return a memory pointer instead of the actual content. As listed here: https://code.djangoproject.com/ticket/27813