Skip to content

/spree

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

New issue

Stringify api_key #2492

Closed
wants to merge 1 commit into from
+1 1 

Labels

Milestone

No milestone

Assignee

No one assigned

3 participants

Egor Homakov Ryan Bigg Pavel Pravosud
Egor Homakov
homakov commented

No description provided.

Egor Homakov homakov Stringify api_key 
By default there is no api key generated. I just managed to break into api on test installation using `?token[]`, one of my favourite CVEs
@radar, please take a look at Mr. Outsider's PR
 e3bbfb2
Ryan Bigg
Collaborator
radar commented
Egor Homakov
homakov commented

i almost always report it privately. it just feels like a small revenge

Pavel Pravosud
rwz commented

That's right. Fuck all these Spree users, nobody gives shit about them. What matters though is small revenge. Way to go, dude.

Ryan Bigg
Collaborator
radar commented

FWIW: You lived up to the exact description I had in my post. Please stop doing this. You're being a jerk.

Ryan Bigg radar closed this
Ryan Bigg radar referenced this pull request from a commit
Egor Homakov homakov Stringify api_key 
Fixes #2492
 6d12303
Ryan Bigg radar referenced this pull request from a commit
Egor Homakov homakov Stringify api_key 
Fixes #2492
 6181bb6
Ryan Bigg radar referenced this pull request from a commit
Egor Homakov homakov Stringify api_key 
By default there is no api key generated. I just managed to break into api on test installation using `?token[]`, one of my favourite CVEs
@radar, please take a look at Mr. Outsider's PR

Fixes #2492
 3c2015e
Ryan Bigg radar referenced this pull request from a commit
Egor Homakov homakov Stringify api_key 
By default there is no api key generated. I just managed to break into api on test installation using `?token[]`, one of my favourite CVEs
@radar, please take a look at Mr. Outsider's PR

Fixes #2492
 15ff5a2
Ryan Bigg radar referenced this pull request from a commit
Commit has since been removed from the repository and is no longer available.
Ryan Bigg radar referenced this pull request from a commit
Commit has since been removed from the repository and is no longer available.
Ryan Bigg radar referenced this pull request from a commit in radar/spree
Egor Homakov homakov Stringify api_key 
Fixes #2492
 ac2b37c
Ryan Bigg radar referenced this pull request from a commit
Commit has since been removed from the repository and is no longer available.
Washington L Braga Jr huoxito referenced this pull request from a commit in huoxito/spree
Egor Homakov homakov Stringify api_key 
Fixes #2492

Conflicts:
	api/app/controllers/spree/api/v1/base_controller.rb
 0c88742
Filipe Dias fmfdias referenced this pull request from a commit in fmfdias/spree
Filipe Dias fmfdias Applied changes in commit 6181bb6 from upstream spree. 
"Stringify api key

Fixes #2492"
 1bdc72e
Tomasz Stachewicz tomash referenced this pull request in rails/rails
Open

[Concept] Always require permit before fetching #13215

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Jan 26, 2013
  1. Egor Homakov

    Stringify api_key

    homakov authored 
    By default there is no api key generated. I just managed to break into api on test installation using `?token[]`, one of my favourite CVEs
@radar, please take a look at Mr. Outsider's PR
    e3bbfb2
This page is out of date. Refresh to see the latest.
Unified Split
Showing with 1 addition and 1 deletion.
  1. +1 1  api/app/controllers/spree/api/base_controller.rb
2  api/app/controllers/spree/api/base_controller.rb
View
@@ -53,7 +53,7 @@ def check_for_api_key
def authenticate_user
if requires_authentication? || api_key.present?
- unless @current_api_user = Spree.user_class.find_by_spree_api_key(api_key)
+ unless @current_api_user = Spree.user_class.find_by_spree_api_key(api_key.to_s)
render "spree/api/errors/invalid_api_key", :status => 401 and return
end
else
Something went wrong with that request. Please try again.