3diy
/
moonraker
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

http_client: don't store client in the wrapper 

This closes a securitiy vulernability where the client could
be used to download and save a file from any configured
location.

Signed-off-by:  Eric Callahan <arksine.code@gmail.com>
This commit is contained in:
Eric Callahan 2023-04-17 08:13:05 -04:00
parent 53d9522c06
commit ac10b4a3b9
No known key found for this signature in database
GPG Key ID: 5A1EB336DFB4C71B
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
moonraker/components/http_client.py
View File

@ -278,7 +278,7 @@ class HttpRequestWrapper:
def __init__( def __init__(
self, client: HttpClient, default_url: str, **kwargs self, client: HttpClient, default_url: str, **kwargs
) -> None: ) -> None:
self.client = client self._do_request = client.request
self._last_response: Optional[HttpResponse] = None self._last_response: Optional[HttpResponse] = None
self.default_request_args: Dict[str, Any] = { self.default_request_args: Dict[str, Any] = {
"method": "GET", "method": "GET",
@ -293,7 +293,7 @@ class HttpRequestWrapper:
req_args.update(kwargs) req_args.update(kwargs)
method = req_args.pop("method", self.default_request_args["method"]) method = req_args.pop("method", self.default_request_args["method"])
url = req_args.pop("url", self.default_request_args["url"]) url = req_args.pop("url", self.default_request_args["url"])
self._last_response = await self.client.request(method, url, **req_args) self._last_response = await self._do_request(method, url, **req_args)
return self._last_response return self._last_response
def set_method(self, method: str) -> None: def set_method(self, method: str) -> None: