Fix handling of private methods

The detection of the attribute `_private` was performed on a string object representing the name of the method instead of the method itself, leading to the registry allowing anyone to call private methods.

Fix handling of private methods
The detection of the attribute `_private` was performed on a string object representing the name of the method instead of the method itself, leading to the registry allowing anyone to call private methods.
d0233199 · Killian Lufau · d868f09a · d0233199
Commit d0233199 authored Jul 03, 2019 by Killian Lufau
Show whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

re6st/registry.py re6st/registry.py +1 -1

No files found.
--- a/re6st/registry.py
+++ b/re6st/registry.py
@@ -244,7 +244,7 @@ class RegistryServer(object):
    def handle_request(self, request, method, kw):
        m = getattr(self, method)
-        if hasattr(method, '_private'):
+        if hasattr(m, '_private'):
            authorized_origin =  self.config.authorized_origin
            x_forwarded_for = request.headers.get('X-Forwarded-For')
            if request.client_address[0] not in authorized_origin or \