Commit d0233199 authored by Killian Lufau's avatar Killian Lufau

Fix handling of private methods

The detection of the attribute `_private` was performed on a string
object representing the name of the method instead of the method itself,
leading to the registry allowing anyone to call private methods.
parent d868f09a
...@@ -244,7 +244,7 @@ class RegistryServer(object): ...@@ -244,7 +244,7 @@ class RegistryServer(object):
def handle_request(self, request, method, kw): def handle_request(self, request, method, kw):
m = getattr(self, method) m = getattr(self, method)
if hasattr(method, '_private'): if hasattr(m, '_private'):
authorized_origin = self.config.authorized_origin authorized_origin = self.config.authorized_origin
x_forwarded_for = request.headers.get('X-Forwarded-For') x_forwarded_for = request.headers.get('X-Forwarded-For')
if request.client_address[0] not in authorized_origin or \ if request.client_address[0] not in authorized_origin or \
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment