Commit d0233199 by Killian Lufau

Fix handling of private methods

The detection of the attribute `_private` was performed on a string
object representing the name of the method instead of the method itself,
leading to the registry allowing anyone to call private methods.
parent d868f09a
......@@ -244,7 +244,7 @@ class RegistryServer(object):
def handle_request(self, request, method, kw):
m = getattr(self, method)
if hasattr(method, '_private'):
if hasattr(m, '_private'):
authorized_origin = self.config.authorized_origin
x_forwarded_for = request.headers.get('X-Forwarded-For')
if request.client_address[0] not in authorized_origin or \
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or sign in to comment