From 8c5aae15ddc37c193efd568bc2420f00f5297b1c Mon Sep 17 00:00:00 2001
From: Pierre-Yves Chibon <pingou@pingoured.fr>
Date: May 14 2018 16:48:35 +0000
Subject: Ensure we always check the API token's project if there is one


Fix CVE-2018-1002151

Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>

---

diff --git a/pagure/api/fork.py b/pagure/api/fork.py
index fa4c74b..687bbc0 100644
--- a/pagure/api/fork.py
+++ b/pagure/api/fork.py
@@ -22,7 +22,7 @@ import pagure.lib.tasks
 from pagure.api import (API, api_method, api_login_required, APIERROR,
                         get_authorized_api_project)
 from pagure.config import config as pagure_config
-from pagure.utils import is_repo_committer, api_authenticated
+from pagure.utils import is_repo_committer, is_true
 
 
 _log = logging.getLogger(__name__)
@@ -849,10 +849,9 @@ def api_subscribe_pull_request(
         raise pagure.exceptions.APIError(
             404, error_code=APIERROR.EPULLREQUESTSDISABLED)
 
-    if api_authenticated():
-        if flask.g.token.project and repo != flask.g.token.project:
-            raise pagure.exceptions.APIError(
-                401, error_code=APIERROR.EINVALIDTOK)
+    if flask.g.token.project and repo != flask.g.token.project:
+        raise pagure.exceptions.APIError(
+            401, error_code=APIERROR.EINVALIDTOK)
 
     request = pagure.lib.search_pull_requests(
         flask.g.session, project_id=repo.id, requestid=requestid)
@@ -991,6 +990,10 @@ def api_pull_request_create(repo, username=None, namespace=None):
     if repo is None:
         raise pagure.exceptions.APIError(404, error_code=APIERROR.ENOPROJECT)
 
+    if flask.g.token.project and repo != flask.g.token.project:
+        raise pagure.exceptions.APIError(
+            401, error_code=APIERROR.EINVALIDTOK)
+
     form = pagure.forms.RequestPullForm(csrf_enabled=False)
     if not form.validate_on_submit():
         raise pagure.exceptions.APIError(
diff --git a/pagure/api/project.py b/pagure/api/project.py
index 5272c2f..157bbca 100644
--- a/pagure/api/project.py
+++ b/pagure/api/project.py
@@ -965,6 +965,10 @@ def api_modify_project(repo, namespace=None):
         raise pagure.exceptions.APIError(
             404, error_code=APIERROR.ENOPROJECT)
 
+    if flask.g.token.project and project != flask.g.token.project:
+        raise pagure.exceptions.APIError(
+            401, error_code=APIERROR.EINVALIDTOK)
+
     is_site_admin = pagure.utils.is_admin()
     admins = [u.username for u in project.get_project_users('admin')]
     # Only allow the main admin, the admins of the project, and Pagure site
@@ -1193,6 +1197,10 @@ def api_generate_acls(repo, username=None, namespace=None):
     if not project:
         raise pagure.exceptions.APIError(404, error_code=APIERROR.ENOPROJECT)
 
+    if flask.g.token.project and project != flask.g.token.project:
+        raise pagure.exceptions.APIError(
+            401, error_code=APIERROR.EINVALIDTOK)
+
     # Check if it's JSON or form data
     if flask.request.headers.get('Content-Type') == 'application/json':
         # Set force to True to ignore the mimetype. Set silent so that None is