uploads: Require authentication when uploading the payload

author Michael Tremer <michael.tremer@ipfire.org>

Sun, 15 Sep 2024 02:15:38 +0000 (02:15 +0000)

committer Michael Tremer <michael.tremer@ipfire.org>

Sun, 15 Sep 2024 02:15:38 +0000 (02:15 +0000)
author Michael Tremer <michael.tremer@ipfire.org>
Sun, 15 Sep 2024 02:15:38 +0000 (02:15 +0000)
committer Michael Tremer <michael.tremer@ipfire.org>
Sun, 15 Sep 2024 02:15:38 +0000 (02:15 +0000)
diff --git a/src/web/uploads.py b/src/web/uploads.py

index f31c52353d462ca263391f4fa4714d588f703fbf..5220fa3efde50665c191fb44f9767bb5d728d4bb 100644 (file)
--- a/src/web/uploads.py
+++ b/src/web/uploads.py
@@ -117,13 +117,7 @@ class APIv1DetailHandler(base.APIMixin, base.BaseHandler):
                 """
                 self.buffer.write(data)
  
-       # Yes, this does not require authentication. You have seen this correctly.
-       # This is because of us using SPNEGO which might cause a request being sent
-       # more than once, which therefore means that the payload is being transferred
-       # more than once.
-       # To avoid this, we request the digest when the upload is being created, we
-       # then generate a unique ID which an attacker would have to guess first and
-       # then have to upload a file which's hash collides with the original file.
+       @base.negotiate
         async def put(self, uuid):
                 """
                         Called to store the received payload
author	Michael Tremer <michael.tremer@ipfire.org>
	Sun, 15 Sep 2024 02:15:38 +0000 (02:15 +0000)
committer	Michael Tremer <michael.tremer@ipfire.org>
	Sun, 15 Sep 2024 02:15:38 +0000 (02:15 +0000)