swarm/api: Fix #18007, missing signature should return HTTP 400 (#18008)

2018-11-07 14:49:42 +01:00 · 2018-11-07 14:49:42 +01:00 · 36ca85fa1c
parent b35165555d
commit 36ca85fa1c
2 changed files with 38 additions and 6 deletions
--- a/swarm/api/http/server.go
+++ b/swarm/api/http/server.go
@ -484,7 +484,8 @@ func (s *Server) HandlePostFeed(w http.ResponseWriter, r *http.Request) {
 		return
 	}
-	if updateRequest.IsUpdate() {
+	switch {
 	case updateRequest.IsUpdate():
 		// Verify that the signature is intact and that the signer is authorized
 		// to update this feed
 		// Check this early, to avoid creating a feed and then not being able to set its first update.
@ -497,9 +498,8 @@ func (s *Server) HandlePostFeed(w http.ResponseWriter, r *http.Request) {
 			respondError(w, r, err.Error(), http.StatusInternalServerError)
 			return
 		}
-	}
+		fallthrough
-
+	case query.Get("manifest") == "1":
 	if query.Get("manifest") == "1" {
 		// we create a manifest so we can retrieve feed updates with bzz:// later
 		// this manifest has a special "feed type" manifest, and saves the
 		// feed identification used to retrieve feed updates later
@ -519,6 +519,8 @@ func (s *Server) HandlePostFeed(w http.ResponseWriter, r *http.Request) {
 		fmt.Fprint(w, string(outdata))
 		w.Header().Add("Content-type", "application/json")
 	default:
 		respondError(w, r, "Missing signature in feed update request", http.StatusBadRequest)
 	}
 }
--- a/swarm/api/http/server_test.go
+++ b/swarm/api/http/server_test.go
@ -333,15 +333,45 @@ func TestBzzFeed(t *testing.T) {
 	}
 	urlQuery = testUrl.Query()
 	body = updateRequest.AppendValues(urlQuery) // this adds all query parameters
 	goodQueryParameters := urlQuery.Encode()    // save the query parameters for a second attempt
 	// create bad query parameters in which the signature is missing
 	urlQuery.Del("signature")
 	testUrl.RawQuery = urlQuery.Encode()
 	// 1st attempt with bad query parameters in which the signature is missing
 	resp, err = http.Post(testUrl.String(), "application/octet-stream", bytes.NewReader(body))
 	if err != nil {
 		t.Fatal(err)
 	}
 	defer resp.Body.Close()
-	if resp.StatusCode != http.StatusOK {
+	expectedCode := http.StatusBadRequest
-		t.Fatalf("Update returned %s", resp.Status)
+	if resp.StatusCode != expectedCode {
 		t.Fatalf("Update returned %s. Expected %d", resp.Status, expectedCode)
 	}
 	// 2nd attempt with bad query parameters in which the signature is of incorrect length
 	urlQuery.Set("signature", "0xabcd") // should be 130 hex chars
 	resp, err = http.Post(testUrl.String(), "application/octet-stream", bytes.NewReader(body))
 	if err != nil {
 		t.Fatal(err)
 	}
 	defer resp.Body.Close()
 	expectedCode = http.StatusBadRequest
 	if resp.StatusCode != expectedCode {
 		t.Fatalf("Update returned %s. Expected %d", resp.Status, expectedCode)
 	}
 	// 3rd attempt, with good query parameters:
 	testUrl.RawQuery = goodQueryParameters
 	resp, err = http.Post(testUrl.String(), "application/octet-stream", bytes.NewReader(body))
 	if err != nil {
 		t.Fatal(err)
 	}
 	defer resp.Body.Close()
 	expectedCode = http.StatusOK
 	if resp.StatusCode != expectedCode {
 		t.Fatalf("Update returned %s. Expected %d", resp.Status, expectedCode)
 	}
 	// get latest update through bzz-feed directly