Files
@ a041321d2aa1
Branch filter:
Location: kallithea/init.d/supervisord.conf - annotation
a041321d2aa1
2.6 KiB
text/plain
security: apply CSRF check to all non-GET requests
The automatic CSRF protection was broken for POST requests with no
request payload parameters (but possibly containing request URI
parameters); a security hole was narrowly avoided because the code
base quite consistently checks the request method in the same way,
and because of browser protection against PUT/DELETE CSRF attacks.
Since explicit is better than implicit, the better way of checking
the HTTP request method is to simply check request.method, instead
of checking if request.POST is non-empty, which is subtly different
(it doesn't catch POST requests if all parameters are in the query
string) and non-obvious (because it also applies to PUT requests).
The commit also fixes some tests which relied on the CSRF protection
being broken. It does not fix all the controllers that still does
the misleading request.POST check, but since the CSRF check has now
been tightened, those are no longer a potential security issue.
The automatic CSRF protection was broken for POST requests with no
request payload parameters (but possibly containing request URI
parameters); a security hole was narrowly avoided because the code
base quite consistently checks the request method in the same way,
and because of browser protection against PUT/DELETE CSRF attacks.
Since explicit is better than implicit, the better way of checking
the HTTP request method is to simply check request.method, instead
of checking if request.POST is non-empty, which is subtly different
(it doesn't catch POST requests if all parameters are in the query
string) and non-obvious (because it also applies to PUT requests).
The commit also fixes some tests which relied on the CSRF protection
being broken. It does not fix all the controllers that still does
the misleading request.POST check, but since the CSRF check has now
been tightened, those are no longer a potential security issue.
24c0d584ba86 e4eabd2558b6 e4eabd2558b6 e4eabd2558b6 e4eabd2558b6 e4eabd2558b6 e4eabd2558b6 e4eabd2558b6 e4eabd2558b6 e4eabd2558b6 e4eabd2558b6 99ad9d0af1a3 e4eabd2558b6 e4eabd2558b6 e4eabd2558b6 99ad9d0af1a3 e4eabd2558b6 e4eabd2558b6 e4eabd2558b6 e4eabd2558b6 99ad9d0af1a3 e4eabd2558b6 e4eabd2558b6 e4eabd2558b6 e4eabd2558b6 03bbd33bc084 e4eabd2558b6 e4eabd2558b6 e4eabd2558b6 e4eabd2558b6 e4eabd2558b6 e4eabd2558b6 e4eabd2558b6 e4eabd2558b6 e4eabd2558b6 e4eabd2558b6 e4eabd2558b6 e4eabd2558b6 e4eabd2558b6 e4eabd2558b6 e4eabd2558b6 e4eabd2558b6 99ad9d0af1a3 99ad9d0af1a3 e4eabd2558b6 e4eabd2558b6 03bbd33bc084 03bbd33bc084 e4eabd2558b6 e4eabd2558b6 03bbd33bc084 | ; Kallithea Supervisord
; ##########################
; for help see http://supervisord.org/configuration.html
; ##########################
[inet_http_server] ; inet (TCP) server disabled by default
port=127.0.0.1:9001 ; (ip_address:port specifier, *:port for all iface)
;username=user ; (default is no username (open server))
;password=123 ; (default is no password (open server))
[supervisord]
logfile=/%(here)s/supervisord_kallithea.log ; (main log file;default $CWD/supervisord.log)
logfile_maxbytes=50MB ; (max main logfile bytes b4 rotation;default 50MB)
logfile_backups=10 ; (num of main logfile rotation backups;default 10)
loglevel=info ; (log level;default info; others: debug,warn,trace)
pidfile=/%(here)s/supervisord_kallithea.pid ; (supervisord pidfile;default supervisord.pid)
nodaemon=true ; (start in foreground if true;default false)
minfds=1024 ; (min. avail startup file descriptors;default 1024)
minprocs=200 ; (min. avail process descriptors;default 200)
umask=022 ; (process file creation umask;default 022)
user=username ; (default is current user, required if root)
;identifier=supervisor ; (supervisord identifier, default is 'supervisor')
;directory=/tmp ; (default is not to cd during start)
;nocleanup=true ; (don't clean up tempfiles at start;default false)
;childlogdir=/tmp ; ('AUTO' child log dir, default $TEMP)
environment=HOME=/srv/kallithea ; (key value pairs to add to environment)
;strip_ansi=false ; (strip ansi escape codes in logs; def. false)
; the below section must remain in the config file for RPC
; (supervisorctl/web interface) to work, additional interfaces may be
; added by defining them in separate rpcinterface: sections
[rpcinterface:supervisor]
supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
[supervisorctl]
serverurl=http://127.0.0.1:9001 ; use an http:// url to specify an inet socket
;username=user ; should be same as http_username if set
;password=123 ; should be same as http_password if set
;prompt=mysupervisor ; cmd line prompt (default "supervisor")
;history_file=~/.sc_history ; use readline history if available
; restart with supervisorctl restart kallithea:*
[program:kallithea]
numprocs = 1
numprocs_start = 5000 # possible should match ports
directory=/srv/kallithea
command = /srv/kallithea/venv/bin/paster serve my.ini
process_name = %(program_name)s_%(process_num)04d
redirect_stderr=true
stdout_logfile=/%(here)s/kallithea.log
|