From 5990577699fbdd0ebf4e71468c94a8b88892fb2a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rn-Michael=20Miehe?= <40151420+ldericher@users.noreply.github.com> Date: Tue, 29 Mar 2022 16:12:29 +0000 Subject: [PATCH] possible security flaw --- api/kiwi_vpn_api/routers/_common.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/api/kiwi_vpn_api/routers/_common.py b/api/kiwi_vpn_api/routers/_common.py index 463f87f..fd380c5 100644 --- a/api/kiwi_vpn_api/routers/_common.py +++ b/api/kiwi_vpn_api/routers/_common.py @@ -84,7 +84,8 @@ async def get_current_user_if_exists( # fail if not requested by a user if current_user is None: - raise HTTPException(status_code=status.HTTP_404_NOT_FOUND) + # don't use error 404 here: possible user enumeration + raise HTTPException(status_code=status.HTTP_403_FORBIDDEN) return current_user