From 2c665ca3e4e60e02b352ab24cf9c3e5b85bbc220 Mon Sep 17 00:00:00 2001
From: Jan Harkes <jaharkes@cs.cmu.edu>
Date: Mon, 11 Apr 2016 22:37:15 -0400
Subject: [PATCH 1/2] Do not propagate api password (#1797)

* Do not propagate API password in service requests.

It makes service validation fail. The choice is to either handle it as an
optional key in every service handler and make sure it doesn't end up in event
stream and notifications, or to strip it as early as possible.

* Some places still need a forwarded api password.

- Event forwarding/remote api uses the local api password to
  authenticate against the remote instance.
- The generated index.html at '/' embeds the api password.
---
 homeassistant/components/http.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/homeassistant/components/http.py b/homeassistant/components/http.py
index 7d8fd8620b4..89524ff9311 100644
--- a/homeassistant/components/http.py
+++ b/homeassistant/components/http.py
@@ -27,7 +27,7 @@ from homeassistant.const import (
     HTTP_HEADER_CONTENT_LENGTH, HTTP_HEADER_CONTENT_TYPE, HTTP_HEADER_EXPIRES,
     HTTP_HEADER_HA_AUTH, HTTP_HEADER_VARY, HTTP_METHOD_NOT_ALLOWED,
     HTTP_NOT_FOUND, HTTP_OK, HTTP_UNAUTHORIZED, HTTP_UNPROCESSABLE_ENTITY,
-    SERVER_PORT)
+    SERVER_PORT, URL_ROOT, URL_API_EVENT_FORWARD)
 
 DOMAIN = "http"
 
@@ -207,6 +207,10 @@ class RequestHandler(SimpleHTTPRequestHandler):
                               self.server.api_password or
                               self.verify_session())
 
+        # we really shouldn't need to forward the password from here
+        if url.path not in [URL_ROOT, URL_API_EVENT_FORWARD]:
+            data.pop(DATA_API_PASSWORD, None)
+
         if '_METHOD' in data:
             method = data.pop('_METHOD')
 

From 4023021b216a8792f572b54ac892a7045ad8951b Mon Sep 17 00:00:00 2001
From: Paulus Schoutsen <paulus@paulusschoutsen.nl>
Date: Mon, 11 Apr 2016 19:48:37 -0700
Subject: [PATCH 2/2] Version bump to 0.17.3

---
 homeassistant/const.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/homeassistant/const.py b/homeassistant/const.py
index 349a820dfc1..4e3bf05eaa9 100644
--- a/homeassistant/const.py
+++ b/homeassistant/const.py
@@ -1,7 +1,7 @@
 # coding: utf-8
 """Constants used by Home Assistant components."""
 
-__version__ = "0.17.2"
+__version__ = "0.17.3"
 REQUIRED_PYTHON_VER = (3, 4)
 
 PLATFORM_FORMAT = '{}.{}'