From 2c665ca3e4e60e02b352ab24cf9c3e5b85bbc220 Mon Sep 17 00:00:00 2001 From: Jan Harkes Date: Mon, 11 Apr 2016 22:37:15 -0400 Subject: [PATCH] Do not propagate api password (#1797) * Do not propagate API password in service requests. It makes service validation fail. The choice is to either handle it as an optional key in every service handler and make sure it doesn't end up in event stream and notifications, or to strip it as early as possible. * Some places still need a forwarded api password. - Event forwarding/remote api uses the local api password to authenticate against the remote instance. - The generated index.html at '/' embeds the api password. --- homeassistant/components/http.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/homeassistant/components/http.py b/homeassistant/components/http.py index 7d8fd8620b4..89524ff9311 100644 --- a/homeassistant/components/http.py +++ b/homeassistant/components/http.py @@ -27,7 +27,7 @@ from homeassistant.const import ( HTTP_HEADER_CONTENT_LENGTH, HTTP_HEADER_CONTENT_TYPE, HTTP_HEADER_EXPIRES, HTTP_HEADER_HA_AUTH, HTTP_HEADER_VARY, HTTP_METHOD_NOT_ALLOWED, HTTP_NOT_FOUND, HTTP_OK, HTTP_UNAUTHORIZED, HTTP_UNPROCESSABLE_ENTITY, - SERVER_PORT) + SERVER_PORT, URL_ROOT, URL_API_EVENT_FORWARD) DOMAIN = "http" @@ -207,6 +207,10 @@ class RequestHandler(SimpleHTTPRequestHandler): self.server.api_password or self.verify_session()) + # we really shouldn't need to forward the password from here + if url.path not in [URL_ROOT, URL_API_EVENT_FORWARD]: + data.pop(DATA_API_PASSWORD, None) + if '_METHOD' in data: method = data.pop('_METHOD')