Univention Bugzilla – Attachment 8628 Details for
Bug 43977
Information leak by unprotected meta.json
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch
43977.patch (text/plain), 1.68 KB, created by
Florian Best
on 2017-03-23 13:12:20 CET
(
hide
)
Description:
patch
Filename:
MIME Type:
Creator:
Florian Best
Created:
2017-03-23 13:12:20 CET
Size:
1.68 KB
patch
obsolete
>diff --git a/management/univention-management-console/src/univention/management/console/protocol/session.py b/management/univention-management-console/src/univention/management/console/protocol/session.py >index 3baa59f..611282c 100644 >--- a/management/univention-management-console/src/univention/management/console/protocol/session.py >+++ b/management/univention-management-console/src/univention/management/console/protocol/session.py >@@ -147,6 +147,8 @@ class ProcessorBase(Base): > :param str password: password of the user > """ > >+ META_JSON_PATH = '/usr/share/univention-management-console/meta.json' >+ > @property > def lo(self): > return get_machine_connection(write=False)[0] >@@ -256,6 +258,7 @@ def handle_request_get(self, msg): > for arg in msg.arguments: > method = { > 'ucr': self.handle_request_get_ucr, >+ 'meta': self.handle_request_get_meta, > 'info': self.handle_request_get_info, > 'modules/list': self.handle_request_get_modules, > 'modules': self.handle_request_get_modules, >@@ -270,6 +273,15 @@ def handle_request_get(self, msg): > return > raise NotFound() > >+ @simple_response >+ def handle_request_get_meta(self): >+ try: >+ with open(self.META_JSON_PATH) as fd: >+ return json.load(fd) >+ except (EnvironmentError, ValueError) as exc: >+ CORE.error('meta.json is not available: %s' % (exc,)) >+ return {} >+ > def handle_request_set(self, msg): > for key, value in msg.options.items(): > method = { >@@ -709,6 +721,8 @@ def __del__(self): > > class Processor(ProcessorBase): > >+ META_JSON_PATH = '/usr/share/univention-management-console/meta-protected.json' >+ > @sanitize(StringSanitizer(required=True)) > def handle_request_get_ucr(self, request): > ucr.load()
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=8628">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 43977
: 8628 |
8638