Files
@ a041321d2aa1
Branch filter:
Location: kallithea/init.d/celeryd-upstart.conf - annotation
a041321d2aa1
904 B
text/plain
security: apply CSRF check to all non-GET requests
The automatic CSRF protection was broken for POST requests with no
request payload parameters (but possibly containing request URI
parameters); a security hole was narrowly avoided because the code
base quite consistently checks the request method in the same way,
and because of browser protection against PUT/DELETE CSRF attacks.
Since explicit is better than implicit, the better way of checking
the HTTP request method is to simply check request.method, instead
of checking if request.POST is non-empty, which is subtly different
(it doesn't catch POST requests if all parameters are in the query
string) and non-obvious (because it also applies to PUT requests).
The commit also fixes some tests which relied on the CSRF protection
being broken. It does not fix all the controllers that still does
the misleading request.POST check, but since the CSRF check has now
been tightened, those are no longer a potential security issue.
The automatic CSRF protection was broken for POST requests with no
request payload parameters (but possibly containing request URI
parameters); a security hole was narrowly avoided because the code
base quite consistently checks the request method in the same way,
and because of browser protection against PUT/DELETE CSRF attacks.
Since explicit is better than implicit, the better way of checking
the HTTP request method is to simply check request.method, instead
of checking if request.POST is non-empty, which is subtly different
(it doesn't catch POST requests if all parameters are in the query
string) and non-obvious (because it also applies to PUT requests).
The commit also fixes some tests which relied on the CSRF protection
being broken. It does not fix all the controllers that still does
the misleading request.POST check, but since the CSRF check has now
been tightened, those are no longer a potential security issue.
99ad9d0af1a3 58df0b3ed377 58df0b3ed377 58df0b3ed377 24c0d584ba86 58df0b3ed377 58df0b3ed377 99ad9d0af1a3 99ad9d0af1a3 58df0b3ed377 58df0b3ed377 58df0b3ed377 58df0b3ed377 58df0b3ed377 58df0b3ed377 99ad9d0af1a3 58df0b3ed377 58df0b3ed377 58df0b3ed377 58df0b3ed377 58df0b3ed377 58df0b3ed377 58df0b3ed377 99ad9d0af1a3 58df0b3ed377 58df0b3ed377 58df0b3ed377 58df0b3ed377 58df0b3ed377 58df0b3ed377 58df0b3ed377 58df0b3ed377 58df0b3ed377 58df0b3ed377 | # celeryd - run the celeryd daemon as an upstart job for kallithea
# Change variables/paths as necessary and place file /etc/init/celeryd.conf
# start/stop/restart as normal upstart job (ie: $ start celeryd)
description "Celery for Kallithea Mercurial Server"
author "Matt Zuba <matt.zuba@goodwillaz.org"
start on starting kallithea
stop on stopped kallithea
respawn
umask 0022
env PIDFILE=/tmp/celeryd.pid
env APPINI=/var/hg/kallithea/production.ini
env HOME=/var/hg
env USER=hg
# To use group (if different from user), you must edit sudoers file and change
# root's entry from (ALL) to (ALL:ALL)
# env GROUP=hg
script
COMMAND="/var/hg/.virtualenvs/kallithea/bin/paster celeryd $APPINI --pidfile=$PIDFILE"
if [ -z "$GROUP" ]; then
exec sudo -u $USER $COMMAND
else
exec sudo -u $USER -g $GROUP $COMMAND
fi
end script
post-stop script
rm -f $PIDFILE
end script
|