Don't allow users to set internal attributes via PUT

author Gunnar Beutner <gunnar@beutner.name>

Wed, 11 Nov 2015 07:29:48 +0000 (08:29 +0100)

committer Gunnar Beutner <gunnar@beutner.name>

Wed, 11 Nov 2015 07:41:49 +0000 (08:41 +0100)
author Gunnar Beutner <gunnar@beutner.name>
Wed, 11 Nov 2015 07:29:48 +0000 (08:29 +0100)
committer Gunnar Beutner <gunnar@beutner.name>
Wed, 11 Nov 2015 07:41:49 +0000 (08:41 +0100)
diff --git a/lib/remote/configobjectutility.cpp b/lib/remote/configobjectutility.cpp

index 91de62c5f4d0fd446d5f54f18fe3c8be65db7113..d6270baad1d674cbe4827f8259f21fd9f68c91bd 100644 (file)
--- a/lib/remote/configobjectutility.cpp
+++ b/lib/remote/configobjectutility.cpp
@@ -66,9 +66,23 @@ String ConfigObjectUtility::CreateObjectConfig(const Type::Ptr& type, const Stri
  
         Dictionary::Ptr allAttrs = new Dictionary();
  
-       if (attrs)
+       if (attrs) {
                 attrs->CopyTo(allAttrs);
  
+               ObjectLock olock(attrs);
+               BOOST_FOREACH(const Dictionary::Pair& kv, attrs) {
+                       int fid = type->GetFieldId(kv.first);
+
+                       if (fid < 0)
+                               BOOST_THROW_EXCEPTION(ScriptError("Invalid attribute specified: " + kv.first));
+
+                       Field field = type->GetFieldInfo(fid);
+
+                       if (field.Attributes & FANoUserModify)
+                               BOOST_THROW_EXCEPTION(ScriptError("Attribute is marked for internal use only and may not be set: " + kv.first));
+               }
+       }
+
         if (nameParts)
                 nameParts->CopyTo(allAttrs);
author	Gunnar Beutner <gunnar@beutner.name>
	Wed, 11 Nov 2015 07:29:48 +0000 (08:29 +0100)
committer	Gunnar Beutner <gunnar@beutner.name>
	Wed, 11 Nov 2015 07:41:49 +0000 (08:41 +0100)