From 4857117ddaba83c6ab26a95df059fdc654f73573 Mon Sep 17 00:00:00 2001 From: Jan Harkes Date: Mon, 11 Apr 2016 22:37:15 -0400 Subject: [PATCH] Do not propagate api password (#1797) * Do not propagate API password in service requests. It makes service validation fail. The choice is to either handle it as an optional key in every service handler and make sure it doesn't end up in event stream and notifications, or to strip it as early as possible. * Some places still need a forwarded api password. - Event forwarding/remote api uses the local api password to authenticate against the remote instance. - The generated index.html at '/' embeds the api password. --- homeassistant/components/http.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/homeassistant/components/http.py b/homeassistant/components/http.py index 12647be68f7..b7eaa4dfd60 100644 --- a/homeassistant/components/http.py +++ b/homeassistant/components/http.py @@ -28,7 +28,7 @@ from homeassistant.const import ( HTTP_HEADER_CONTENT_LENGTH, HTTP_HEADER_CONTENT_TYPE, HTTP_HEADER_EXPIRES, HTTP_HEADER_HA_AUTH, HTTP_HEADER_VARY, HTTP_METHOD_NOT_ALLOWED, HTTP_NOT_FOUND, HTTP_OK, HTTP_UNAUTHORIZED, HTTP_UNPROCESSABLE_ENTITY, - SERVER_PORT) + SERVER_PORT, URL_ROOT, URL_API_EVENT_FORWARD) DOMAIN = "http" @@ -218,6 +218,10 @@ class RequestHandler(SimpleHTTPRequestHandler): else: self.authenticated = False + # we really shouldn't need to forward the password from here + if url.path not in [URL_ROOT, URL_API_EVENT_FORWARD]: + data.pop(DATA_API_PASSWORD, None) + if '_METHOD' in data: method = data.pop('_METHOD')