View Issue Details

IDProjectCategoryView StatusLast Update
0006842Anastasisbackendpublic2021-04-11 17:48
ReporterChristian Grothoff Assigned ToChristian Grothoff  
Status closedResolutionfixed 
Platformi7OSDebian GNU/LinuxOS Versionsqueeze
Product VersionGit master 
Target Version0.0.0Fixed in Version0.0.0 
Summary0006842: policy upload succeeds despite payment secret not being initialized
DescriptionThe code currently never sets the payment secret, thus the policy uploads happens without one (alas, after the upload was paid for). This is bad, because it would allow a strong adversary to upload a policy without payment (benefiting from the payment of the legitimate user).

- fix the backend to properly check for the correct payment secret being provided by the client (and not just a payment existing)
- fix the reducer to store the 'payment_secret' in the 'policy_providers' field
TagsNo tags attached.


Christian Grothoff

2021-04-11 17:28

manager   ~0017734

Fixed in 7333d32..51e44d8

Issue History

Date Modified Username Field Change
2021-04-11 14:53 Christian Grothoff New Issue
2021-04-11 14:53 Christian Grothoff Status new => assigned
2021-04-11 14:53 Christian Grothoff Assigned To => Christian Grothoff
2021-04-11 15:04 Christian Grothoff Priority normal => high
2021-04-11 15:06 Christian Grothoff Target Version 0.2.0 => 0.1.0
2021-04-11 17:28 Christian Grothoff Status assigned => resolved
2021-04-11 17:28 Christian Grothoff Resolution open => fixed
2021-04-11 17:28 Christian Grothoff Fixed in Version => 0.0.0
2021-04-11 17:28 Christian Grothoff Note Added: 0017734
2021-04-11 17:28 Christian Grothoff Target Version 0.1.0 => 0.0.0
2021-04-11 17:48 Christian Grothoff Status resolved => closed