Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Stringify api_key #2492

Closed
wants to merge 1 commit into from

3 participants

Egor Homakov Ryan Bigg Pavel Pravosud
Egor Homakov

No description provided.

Egor Homakov homakov Stringify api_key
By default there is no api key generated. I just managed to break into api on test installation using `?token[]`, one of my favourite CVEs
@radar, please take a look at Mr. Outsider's PR
e3bbfb2
Ryan Bigg
Collaborator
Egor Homakov

i almost always report it privately. it just feels like a small revenge

Pavel Pravosud

That's right. Fuck all these Spree users, nobody gives shit about them. What matters though is small revenge. Way to go, dude.

Ryan Bigg
Collaborator

FWIW: You lived up to the exact description I had in my post. Please stop doing this. You're being a jerk.

Ryan Bigg radar closed this
Ryan Bigg radar referenced this pull request from a commit
Egor Homakov homakov Stringify api_key
Fixes #2492
6d12303
Ryan Bigg radar referenced this pull request from a commit
Egor Homakov homakov Stringify api_key
Fixes #2492
6181bb6
Ryan Bigg radar referenced this pull request from a commit
Egor Homakov homakov Stringify api_key
By default there is no api key generated. I just managed to break into api on test installation using `?token[]`, one of my favourite CVEs
@radar, please take a look at Mr. Outsider's PR

Fixes #2492
3c2015e
Ryan Bigg radar referenced this pull request from a commit
Egor Homakov homakov Stringify api_key
By default there is no api key generated. I just managed to break into api on test installation using `?token[]`, one of my favourite CVEs
@radar, please take a look at Mr. Outsider's PR

Fixes #2492
15ff5a2
Ryan Bigg radar referenced this pull request from a commit
Commit has since been removed from the repository and is no longer available.
Ryan Bigg radar referenced this pull request from a commit
Commit has since been removed from the repository and is no longer available.
Ryan Bigg radar referenced this pull request from a commit in radar/spree
Egor Homakov homakov Stringify api_key
Fixes #2492
ac2b37c
Ryan Bigg radar referenced this pull request from a commit
Commit has since been removed from the repository and is no longer available.
Washington L Braga Jr huoxito referenced this pull request from a commit in huoxito/spree
Egor Homakov homakov Stringify api_key
Fixes #2492

Conflicts:
	api/app/controllers/spree/api/v1/base_controller.rb
0c88742
Filipe Dias fmfdias referenced this pull request from a commit in fmfdias/spree
Filipe Dias fmfdias Applied changes in commit 6181bb6 from upstream spree.
"Stringify api key

Fixes #2492"
1bdc72e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Jan 26, 2013
  1. Egor Homakov

    Stringify api_key

    homakov authored
    By default there is no api key generated. I just managed to break into api on test installation using `?token[]`, one of my favourite CVEs
    @radar, please take a look at Mr. Outsider's PR
This page is out of date. Refresh to see the latest.
Showing with 1 addition and 1 deletion.
  1. +1 1  api/app/controllers/spree/api/base_controller.rb
2  api/app/controllers/spree/api/base_controller.rb
View
@@ -53,7 +53,7 @@ def check_for_api_key
def authenticate_user
if requires_authentication? || api_key.present?
- unless @current_api_user = Spree.user_class.find_by_spree_api_key(api_key)
+ unless @current_api_user = Spree.user_class.find_by_spree_api_key(api_key.to_s)
render "spree/api/errors/invalid_api_key", :status => 401 and return
end
else
Something went wrong with that request. Please try again.