From 33a516b14b4b0706419479e388742b3ab5432c7f Mon Sep 17 00:00:00 2001 From: Jaroslav Kysela Date: Fri, 12 Sep 2014 16:55:36 +0200 Subject: [PATCH] HTTP API: add missing access verification for all API calls --- src/api.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/api.c b/src/api.c index 38295573..4eadf940 100644 --- a/src/api.c +++ b/src/api.c @@ -84,6 +84,9 @@ api_exec ( access_t *perm, const char *subsystem, return ENOSYS; // TODO: is this really the right error code? } + if (access_verify2(perm, ah->hook->ah_access)) + return EPERM; + /* Extract method */ op = htsmsg_get_str(args, "method"); if (!op)