Fix token impersonation vulnerability

Signed-off-by: Patrik Dufresne <[email protected]>

Author: ikus060

README.md

@@ -128,6 +128,14 @@ We are passionate about developing and maintaining this open-source project to m
 
 # Changelog
 
+# 2.10.6 (2025-10-02)
+
+* Security: fix token impersonation vulnerability.
+
+# 2.10.5 (2025-06-20)
+
+* Send deprecation warning into the logs
+
 # 2.10.4 (2025-06-13)
 
 * **New Features:**

rdiffweb/controller/tests/test_api.py

@@ -205,6 +205,17 @@ def test_auth_with_access_token(self):
         # Then authentication is successful
         self.assertStatus('200 OK')
 
+    def test_auth_with_access_token_different_user(self):
+        # Given a user with an access token
+        userobj = UserObject.add_user('testuser', 'password')
+        userobj.commit()
+        token = userobj.add_access_token('test2').encode('ascii')
+        userobj.commit()
+        # When using this token to authenticated with /api
+        self.getPage('/api/', headers=[("Authorization", "Basic " + b64encode(b"admin:" + token).decode('ascii'))])
+        # Then authentication is successful
+        self.assertStatus(401)
+
     def test_auth_failed_with_mfa_enabled(self):
         # Given a user with MFA enabled
         userobj = UserObject.get_user(self.USERNAME)

rdiffweb/core/model/_user.py

@@ -501,7 +501,7 @@ def validate_access_token(self, token):
         """
         Check if the given token matches.
         """
-        for access_token in Token.query.all():
+        for access_token in Token.query.filter(Token.user == self).all():
             if access_token.is_expired:
                 continue
             if check_password(token, access_token.hash_token):