diff options
author | Javier Peletier <jpeletier@users.noreply.github.com> | 2018-11-07 21:49:42 +0800 |
---|---|---|
committer | Anton Evangelatov <anton.evangelatov@gmail.com> | 2018-11-07 21:49:42 +0800 |
commit | 36ca85fa1c2936087b2c3d976d3576f0f5d2157e (patch) | |
tree | 8d5e74962ca37461ebca2f7d369c4017c4bff997 | |
parent | b35165555d737042d5f958413827c31a7a5f4805 (diff) | |
download | dexon-36ca85fa1c2936087b2c3d976d3576f0f5d2157e.tar dexon-36ca85fa1c2936087b2c3d976d3576f0f5d2157e.tar.gz dexon-36ca85fa1c2936087b2c3d976d3576f0f5d2157e.tar.bz2 dexon-36ca85fa1c2936087b2c3d976d3576f0f5d2157e.tar.lz dexon-36ca85fa1c2936087b2c3d976d3576f0f5d2157e.tar.xz dexon-36ca85fa1c2936087b2c3d976d3576f0f5d2157e.tar.zst dexon-36ca85fa1c2936087b2c3d976d3576f0f5d2157e.zip |
swarm/api: Fix #18007, missing signature should return HTTP 400 (#18008)
-rw-r--r-- | swarm/api/http/server.go | 10 | ||||
-rw-r--r-- | swarm/api/http/server_test.go | 34 |
2 files changed, 38 insertions, 6 deletions
diff --git a/swarm/api/http/server.go b/swarm/api/http/server.go index e9005104e..803b78987 100644 --- a/swarm/api/http/server.go +++ b/swarm/api/http/server.go @@ -484,7 +484,8 @@ func (s *Server) HandlePostFeed(w http.ResponseWriter, r *http.Request) { return } - if updateRequest.IsUpdate() { + switch { + case updateRequest.IsUpdate(): // Verify that the signature is intact and that the signer is authorized // to update this feed // Check this early, to avoid creating a feed and then not being able to set its first update. @@ -497,9 +498,8 @@ func (s *Server) HandlePostFeed(w http.ResponseWriter, r *http.Request) { respondError(w, r, err.Error(), http.StatusInternalServerError) return } - } - - if query.Get("manifest") == "1" { + fallthrough + case query.Get("manifest") == "1": // we create a manifest so we can retrieve feed updates with bzz:// later // this manifest has a special "feed type" manifest, and saves the // feed identification used to retrieve feed updates later @@ -519,6 +519,8 @@ func (s *Server) HandlePostFeed(w http.ResponseWriter, r *http.Request) { fmt.Fprint(w, string(outdata)) w.Header().Add("Content-type", "application/json") + default: + respondError(w, r, "Missing signature in feed update request", http.StatusBadRequest) } } diff --git a/swarm/api/http/server_test.go b/swarm/api/http/server_test.go index 1cf7ff577..159c8a159 100644 --- a/swarm/api/http/server_test.go +++ b/swarm/api/http/server_test.go @@ -333,15 +333,45 @@ func TestBzzFeed(t *testing.T) { } urlQuery = testUrl.Query() body = updateRequest.AppendValues(urlQuery) // this adds all query parameters + goodQueryParameters := urlQuery.Encode() // save the query parameters for a second attempt + + // create bad query parameters in which the signature is missing + urlQuery.Del("signature") testUrl.RawQuery = urlQuery.Encode() + // 1st attempt with bad query parameters in which the signature is missing resp, err = http.Post(testUrl.String(), "application/octet-stream", bytes.NewReader(body)) if err != nil { t.Fatal(err) } defer resp.Body.Close() - if resp.StatusCode != http.StatusOK { - t.Fatalf("Update returned %s", resp.Status) + expectedCode := http.StatusBadRequest + if resp.StatusCode != expectedCode { + t.Fatalf("Update returned %s. Expected %d", resp.Status, expectedCode) + } + + // 2nd attempt with bad query parameters in which the signature is of incorrect length + urlQuery.Set("signature", "0xabcd") // should be 130 hex chars + resp, err = http.Post(testUrl.String(), "application/octet-stream", bytes.NewReader(body)) + if err != nil { + t.Fatal(err) + } + defer resp.Body.Close() + expectedCode = http.StatusBadRequest + if resp.StatusCode != expectedCode { + t.Fatalf("Update returned %s. Expected %d", resp.Status, expectedCode) + } + + // 3rd attempt, with good query parameters: + testUrl.RawQuery = goodQueryParameters + resp, err = http.Post(testUrl.String(), "application/octet-stream", bytes.NewReader(body)) + if err != nil { + t.Fatal(err) + } + defer resp.Body.Close() + expectedCode = http.StatusOK + if resp.StatusCode != expectedCode { + t.Fatalf("Update returned %s. Expected %d", resp.Status, expectedCode) } // get latest update through bzz-feed directly |