Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request from GHSA-qm6v-cg9v-53j3
This patch fixes the issue that users can pass URLs from other tenants
to the ingest service which will check only against the other
organization but not against the one currently active. This allows users
to easily ingest media from other tenants.
  • Loading branch information
lkiesow committed May 18, 2022
1 parent eee0c26 commit 8d5ec16
Showing 1 changed file with 1 addition and 12 deletions.
Expand Up @@ -129,15 +129,13 @@
import java.util.Dictionary;
import java.util.HashMap;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Map.Entry;
import java.util.Objects;
import java.util.Set;
import java.util.UUID;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;

import javax.management.ObjectInstance;

Expand Down Expand Up @@ -1568,16 +1566,7 @@ protected URI addContentToRepo(MediaPackage mp, String elementId, URI uri) throw
try {
if (uri.toString().startsWith("http")) {
HttpGet get = new HttpGet(uri);
List<String> clusterUrls = new LinkedList<>();
try {
// Note that we are not checking ports here.
clusterUrls = organizationDirectoryService.getOrganization(uri.toURL()).getServers()
.keySet()
.stream()
.collect(Collectors.toUnmodifiableList());
} catch (NotFoundException e) {
logger.warn("Unable to determine cluster members, will not be able to authenticate any downloads from them", e);
}
var clusterUrls = securityService.getOrganization().getServers().keySet();

if (uri.toString().matches(downloadSource)) {
//NB: We're creating a new client here with *different* auth than the system auth creds
Expand Down

0 comments on commit 8d5ec16

Please sign in to comment.