api: use hashlib to validate algo parameter (#47685)
This commit is contained in:
parent
700265f03e
commit
cc16562f90
|
@ -151,6 +151,8 @@ def test_get_user_from_api_query_string_error_missing_algo(pub):
|
|||
def test_get_user_from_api_query_string_error_invalid_algo(pub):
|
||||
output = get_app(pub).get('/api/user/?format=json&orig=coucou&signature=xxx&algo=coin', status=403)
|
||||
assert output.json['err_desc'] == 'invalid algo'
|
||||
output = get_app(pub).get('/api/user/?format=json&orig=coucou&signature=xxx&algo=__getattribute__', status=403)
|
||||
assert output.json['err_desc'] == 'invalid algo'
|
||||
|
||||
|
||||
def test_get_user_from_api_query_string_error_invalid_signature(pub):
|
||||
|
|
|
@ -55,6 +55,8 @@ def is_url_signed(utcnow=None, duration=DEFAULT_DURATION):
|
|||
algo = get_request().form.get('algo')
|
||||
if not isinstance(algo, six.string_types):
|
||||
raise AccessForbiddenError('missing/multiple algo field')
|
||||
if algo not in hashlib.algorithms_guaranteed:
|
||||
raise AccessForbiddenError('invalid algo')
|
||||
try:
|
||||
algo = getattr(hashlib, algo)
|
||||
except AttributeError:
|
||||
|
|
Loading…
Reference in New Issue