From 58c66fbbcf5f937ee1171416e28c08eff20bc9ca Mon Sep 17 00:00:00 2001
From: Neil Williams <neil@reddit.com>
Date: Thu, 6 Feb 2014 22:37:38 -0800
Subject: [PATCH] V*OrAdminSecret: check modhash if secret token not used.

It is necessary to do this check in V*OrAdminSecret as we cannot (and
should not) require a modhash when the secret token is being used
because this would break API compatibility and isn't necessary.

This fixes two XSRF vulnerabilities reported by Jordan Milne
(/u/largenocream).
---
 r2/r2/lib/validator/validator.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/r2/r2/lib/validator/validator.py b/r2/r2/lib/validator/validator.py
index 48860fa85..e788ab801 100644
--- a/r2/r2/lib/validator/validator.py
+++ b/r2/r2/lib/validator/validator.py
@@ -905,6 +905,12 @@ def make_or_admin_secret_cls(base_cls):
                                                 g.secrets["ADMINSECRET"]):
                 return True
             super(VOrAdminSecret, self).run()
+
+            # import here so that we don't close around VModhash
+            # before r2admin can override
+            from r2.lib.validator import VModhash
+            VModhash(fatal=True).run(request.POST.get("uh"))
+
             return False
     return VOrAdminSecret