SECURITY: Fix misused _ensure_auth calls #109
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Oh, man.
Some places called
_ensure_auth()in void context, presumably thinking it would modify the handler coderef given to inject authentication checking - but it doesn't,_ensure_auth()returns a new coderef which does the required authentication checks then calls the original handler coderef which was given to_ensure_auth(). So, calling it in void context then passing the original handler coderef when setting up the route means there's no actual checking done on that route. Oops.This is a pretty embarassing fuckup - a security problem on one of my projects. I hold my hands up and apologise to anyone affected by this, for this is a stupid mistake. A better test suite would have caught this.
I will see if a CVE ID is warranted for this, and apply for one if so.
Big thanks to @joshrabinowitz for finding and reporting this one, and for adding tests which demonstrated the issue.