salmanishere / pagure

Forked from pagure 5 years ago
Clone

4270aaa Make API endpoint for creating new git branch have its own ACL

Authored and Committed by pingou 5 years ago
    Make API endpoint for creating new git branch have its own ACL
    
    Basically, that API endpoint was relying on the modify_project ACL which
    is a public ACL so users can update descriptions of their projects.
    It's also an ACL that can be created with non-project specific API token
    thus making anyone's API token with this ACL able to create new git
    branches in any project.
    
    This fixes CVE: CVE-2018-1002151
    
    Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>
    
        
file modified
+5 -1
file modified
+2 -0