aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJavier Peletier <jpeletier@users.noreply.github.com>2018-11-07 21:49:42 +0800
committerAnton Evangelatov <anton.evangelatov@gmail.com>2018-11-07 21:49:42 +0800
commit36ca85fa1c2936087b2c3d976d3576f0f5d2157e (patch)
tree8d5e74962ca37461ebca2f7d369c4017c4bff997
parentb35165555d737042d5f958413827c31a7a5f4805 (diff)
downloaddexon-36ca85fa1c2936087b2c3d976d3576f0f5d2157e.tar
dexon-36ca85fa1c2936087b2c3d976d3576f0f5d2157e.tar.gz
dexon-36ca85fa1c2936087b2c3d976d3576f0f5d2157e.tar.bz2
dexon-36ca85fa1c2936087b2c3d976d3576f0f5d2157e.tar.lz
dexon-36ca85fa1c2936087b2c3d976d3576f0f5d2157e.tar.xz
dexon-36ca85fa1c2936087b2c3d976d3576f0f5d2157e.tar.zst
dexon-36ca85fa1c2936087b2c3d976d3576f0f5d2157e.zip
swarm/api: Fix #18007, missing signature should return HTTP 400 (#18008)
-rw-r--r--swarm/api/http/server.go10
-rw-r--r--swarm/api/http/server_test.go34
2 files changed, 38 insertions, 6 deletions
diff --git a/swarm/api/http/server.go b/swarm/api/http/server.go
index e9005104e..803b78987 100644
--- a/swarm/api/http/server.go
+++ b/swarm/api/http/server.go
@@ -484,7 +484,8 @@ func (s *Server) HandlePostFeed(w http.ResponseWriter, r *http.Request) {
return
}
- if updateRequest.IsUpdate() {
+ switch {
+ case updateRequest.IsUpdate():
// Verify that the signature is intact and that the signer is authorized
// to update this feed
// Check this early, to avoid creating a feed and then not being able to set its first update.
@@ -497,9 +498,8 @@ func (s *Server) HandlePostFeed(w http.ResponseWriter, r *http.Request) {
respondError(w, r, err.Error(), http.StatusInternalServerError)
return
}
- }
-
- if query.Get("manifest") == "1" {
+ fallthrough
+ case query.Get("manifest") == "1":
// we create a manifest so we can retrieve feed updates with bzz:// later
// this manifest has a special "feed type" manifest, and saves the
// feed identification used to retrieve feed updates later
@@ -519,6 +519,8 @@ func (s *Server) HandlePostFeed(w http.ResponseWriter, r *http.Request) {
fmt.Fprint(w, string(outdata))
w.Header().Add("Content-type", "application/json")
+ default:
+ respondError(w, r, "Missing signature in feed update request", http.StatusBadRequest)
}
}
diff --git a/swarm/api/http/server_test.go b/swarm/api/http/server_test.go
index 1cf7ff577..159c8a159 100644
--- a/swarm/api/http/server_test.go
+++ b/swarm/api/http/server_test.go
@@ -333,15 +333,45 @@ func TestBzzFeed(t *testing.T) {
}
urlQuery = testUrl.Query()
body = updateRequest.AppendValues(urlQuery) // this adds all query parameters
+ goodQueryParameters := urlQuery.Encode() // save the query parameters for a second attempt
+
+ // create bad query parameters in which the signature is missing
+ urlQuery.Del("signature")
testUrl.RawQuery = urlQuery.Encode()
+ // 1st attempt with bad query parameters in which the signature is missing
resp, err = http.Post(testUrl.String(), "application/octet-stream", bytes.NewReader(body))
if err != nil {
t.Fatal(err)
}
defer resp.Body.Close()
- if resp.StatusCode != http.StatusOK {
- t.Fatalf("Update returned %s", resp.Status)
+ expectedCode := http.StatusBadRequest
+ if resp.StatusCode != expectedCode {
+ t.Fatalf("Update returned %s. Expected %d", resp.Status, expectedCode)
+ }
+
+ // 2nd attempt with bad query parameters in which the signature is of incorrect length
+ urlQuery.Set("signature", "0xabcd") // should be 130 hex chars
+ resp, err = http.Post(testUrl.String(), "application/octet-stream", bytes.NewReader(body))
+ if err != nil {
+ t.Fatal(err)
+ }
+ defer resp.Body.Close()
+ expectedCode = http.StatusBadRequest
+ if resp.StatusCode != expectedCode {
+ t.Fatalf("Update returned %s. Expected %d", resp.Status, expectedCode)
+ }
+
+ // 3rd attempt, with good query parameters:
+ testUrl.RawQuery = goodQueryParameters
+ resp, err = http.Post(testUrl.String(), "application/octet-stream", bytes.NewReader(body))
+ if err != nil {
+ t.Fatal(err)
+ }
+ defer resp.Body.Close()
+ expectedCode = http.StatusOK
+ if resp.StatusCode != expectedCode {
+ t.Fatalf("Update returned %s. Expected %d", resp.Status, expectedCode)
}
// get latest update through bzz-feed directly