From: Michael Tremer <michael.tremer@ipfire.org>
Date: Sun, 15 Sep 2024 02:15:38 +0000 (+0000)
Subject: uploads: Require authentication when uploading the payload
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9d397ab6565fa796850ed04287fa741423dabb46;p=pbs.git

uploads: Require authentication when uploading the payload

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/src/web/uploads.py b/src/web/uploads.py
index f31c5235..5220fa3e 100644
--- a/src/web/uploads.py
+++ b/src/web/uploads.py
@@ -117,13 +117,7 @@ class APIv1DetailHandler(base.APIMixin, base.BaseHandler):
 		"""
 		self.buffer.write(data)
 
-	# Yes, this does not require authentication. You have seen this correctly.
-	# This is because of us using SPNEGO which might cause a request being sent
-	# more than once, which therefore means that the payload is being transferred
-	# more than once.
-	# To avoid this, we request the digest when the upload is being created, we
-	# then generate a unique ID which an attacker would have to guess first and
-	# then have to upload a file which's hash collides with the original file.
+	@base.negotiate
 	async def put(self, uuid):
 		"""
 			Called to store the received payload