GitHub: Fix security issue (anyone could push as a web hook).

2011-06-30 10:37:29 +02:00 · 2011-06-30 10:37:29 +02:00 · 12e3210d67
parent d3ec8e90db
commit 12e3210d67
1 changed files with 5 additions and 1 deletions
--- a/GitHub/plugin.py
+++ b/GitHub/plugin.py
@ -61,7 +61,11 @@ import supybot.utils.httpserver

 class GithubCallback(supybot.utils.httpserver.SupyHTTPServerCallback):
    def doPost(self, handler, path, form):
-        self.plugin.announce.onPayload(json.loads(form['payload'].value))
+        if not handler.address_string().endswith('.rs.github.com'):
+            log.warning("""'%s' tryed to act as a web hook for Github,
+            but is not GitHub.""")
+        else:
+            self.plugin.announce.onPayload(json.loads(form['payload'].value))

 #####################
 # API access stuff