Home-Assistant
/
core
mirror of https://github.com/home-assistant/core.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Do not propagate api password (#1797) 

* Do not propagate API password in service requests.

It makes service validation fail. The choice is to either handle it as an
optional key in every service handler and make sure it doesn't end up in event
stream and notifications, or to strip it as early as possible.

* Some places still need a forwarded api password.

- Event forwarding/remote api uses the local api password to
  authenticate against the remote instance.
- The generated index.html at '/' embeds the api password.
pull/1800/merge
Jan Harkes 2016-04-11 22:37:15 -04:00 committed by Paulus Schoutsen
parent 80d6e9f08f
commit 4857117dda
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
homeassistant/components/http.py
View File

@ -28,7 +28,7 @@ from homeassistant.const import (
HTTP_HEADER_CONTENT_LENGTH, HTTP_HEADER_CONTENT_TYPE, HTTP_HEADER_EXPIRES,
HTTP_HEADER_HA_AUTH, HTTP_HEADER_VARY, HTTP_METHOD_NOT_ALLOWED,
HTTP_NOT_FOUND, HTTP_OK, HTTP_UNAUTHORIZED, HTTP_UNPROCESSABLE_ENTITY,
SERVER_PORT)
SERVER_PORT, URL_ROOT, URL_API_EVENT_FORWARD)
DOMAIN = "http"
@ -218,6 +218,10 @@ class RequestHandler(SimpleHTTPRequestHandler):
else:
self.authenticated = False
# we really shouldn't need to forward the password from here
if url.path not in [URL_ROOT, URL_API_EVENT_FORWARD]:
data.pop(DATA_API_PASSWORD, None)
if '_METHOD' in data:
method = data.pop('_METHOD')