V*OrAdminSecret: check modhash if secret token not used.

It is necessary to do this check in V*OrAdminSecret as we cannot (and should not) require a modhash when the secret token is being used because this would break API compatibility and isn't necessary. This fixes two XSRF vulnerabilities reported by Jordan Milne (/u/largenocream).
2026-04-27 03:00:12 -04:00 · 2014-02-06 22:37:38 -08:00
parent 94d69f59ab
commit 58c66fbbcf
1 changed files with 6 additions and 0 deletions
--- a/r2/r2/lib/validator/validator.py
+++ b/r2/r2/lib/validator/validator.py
@@ -905,6 +905,12 @@ def make_or_admin_secret_cls(base_cls):
                                                g.secrets["ADMINSECRET"]):
                return True
            super(VOrAdminSecret, self).run()
+
+            # import here so that we don't close around VModhash
+            # before r2admin can override
+            from r2.lib.validator import VModhash
+            VModhash(fatal=True).run(request.POST.get("uh"))
+
            return False
    return VOrAdminSecret