From 356c4cc17079ae7dffaee68f4c065ea01ae2281c Mon Sep 17 00:00:00 2001 From: Gunnar Beutner Date: Wed, 11 Nov 2015 08:29:48 +0100 Subject: [PATCH] Don't allow users to set internal attributes via PUT fixes #10601 --- lib/remote/configobjectutility.cpp | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/lib/remote/configobjectutility.cpp b/lib/remote/configobjectutility.cpp index 91de62c5f..d6270baad 100644 --- a/lib/remote/configobjectutility.cpp +++ b/lib/remote/configobjectutility.cpp @@ -66,9 +66,23 @@ String ConfigObjectUtility::CreateObjectConfig(const Type::Ptr& type, const Stri Dictionary::Ptr allAttrs = new Dictionary(); - if (attrs) + if (attrs) { attrs->CopyTo(allAttrs); + ObjectLock olock(attrs); + BOOST_FOREACH(const Dictionary::Pair& kv, attrs) { + int fid = type->GetFieldId(kv.first); + + if (fid < 0) + BOOST_THROW_EXCEPTION(ScriptError("Invalid attribute specified: " + kv.first)); + + Field field = type->GetFieldInfo(fid); + + if (field.Attributes & FANoUserModify) + BOOST_THROW_EXCEPTION(ScriptError("Attribute is marked for internal use only and may not be set: " + kv.first)); + } + } + if (nameParts) nameParts->CopyTo(allAttrs);