From eb44a660663910e965c33d3913a9a67b24883df1 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 23 Nov 2020 09:39:09 +0000 Subject: [PATCH] Check for system accounts during authorization --- daemon.py | 31 ++++++++++++++++--------------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/daemon.py b/daemon.py index 7ffaba474..96b34b5d5 100644 --- a/daemon.py +++ b/daemon.py @@ -1120,21 +1120,22 @@ class PubServer(BaseHTTPRequestHandler): tokenStr = tokenStr.split(';')[0].strip() if self.server.tokensLookup.get(tokenStr): nickname = self.server.tokensLookup[tokenStr] - self.authorizedNickname = nickname - # default to the inbox of the person - if self.path == '/': - self.path = '/users/' + nickname + '/inbox' - # check that the path contains the same nickname - # as the cookie otherwise it would be possible - # to be authorized to use an account you don't own - if '/' + nickname + '/' in self.path: - return True - elif '/' + nickname + '?' in self.path: - return True - elif self.path.endswith('/' + nickname): - return True - print('AUTH: nickname ' + nickname + - ' was not found in path ' + self.path) + if not isSystemAccount(nickname): + self.authorizedNickname = nickname + # default to the inbox of the person + if self.path == '/': + self.path = '/users/' + nickname + '/inbox' + # check that the path contains the same nickname + # as the cookie otherwise it would be possible + # to be authorized to use an account you don't own + if '/' + nickname + '/' in self.path: + return True + elif '/' + nickname + '?' in self.path: + return True + elif self.path.endswith('/' + nickname): + return True + print('AUTH: nickname ' + nickname + + ' was not found in path ' + self.path) return False print('AUTH: epicyon cookie ' + 'authorization failed, header=' +