Skip to content

Commit

Permalink
Do not propagate api password (home-assistant#1797)
Browse files Browse the repository at this point in the history
* Do not propagate API password in service requests.

It makes service validation fail. The choice is to either handle it as an
optional key in every service handler and make sure it doesn't end up in event
stream and notifications, or to strip it as early as possible.

* Some places still need a forwarded api password.

- Event forwarding/remote api uses the local api password to
  authenticate against the remote instance.
- The generated index.html at '/' embeds the api password.
  • Loading branch information
jaharkes authored and balloob committed Apr 12, 2016
1 parent 80d6e9f commit 4857117
Showing 1 changed file with 5 additions and 1 deletion.
6 changes: 5 additions & 1 deletion homeassistant/components/http.py
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@
HTTP_HEADER_CONTENT_LENGTH, HTTP_HEADER_CONTENT_TYPE, HTTP_HEADER_EXPIRES,
HTTP_HEADER_HA_AUTH, HTTP_HEADER_VARY, HTTP_METHOD_NOT_ALLOWED,
HTTP_NOT_FOUND, HTTP_OK, HTTP_UNAUTHORIZED, HTTP_UNPROCESSABLE_ENTITY,
SERVER_PORT)
SERVER_PORT, URL_ROOT, URL_API_EVENT_FORWARD)

DOMAIN = "http"

Expand Down Expand Up @@ -218,6 +218,10 @@ def _handle_request(self, method): # pylint: disable=too-many-branches
else:
self.authenticated = False

# we really shouldn't need to forward the password from here
if url.path not in [URL_ROOT, URL_API_EVENT_FORWARD]:
data.pop(DATA_API_PASSWORD, None)

if '_METHOD' in data:
method = data.pop('_METHOD')

Expand Down

0 comments on commit 4857117

Please sign in to comment.