# HG changeset patch # User Mads Kiilerich # Date 2016-08-04 14:23:36 # Node ID 2ac4a70134b63b87347d97a9e9f7c5743e2f305e # Parent 23ff4e66391a221501ce5cc0e600c95a2062fc0b auth: disallow PUT and _method method override diff --git a/kallithea/config/middleware.py b/kallithea/config/middleware.py --- a/kallithea/config/middleware.py +++ b/kallithea/config/middleware.py @@ -59,7 +59,7 @@ def make_app(global_conf, full_stack=Tru app = PylonsApp(config=config) # Routing/Session/Cache Middleware - app = RoutesMiddleware(app, config['routes.map']) + app = RoutesMiddleware(app, config['routes.map'], use_method_override=False) app = SecureSessionMiddleware(app, config) # CUSTOM MIDDLEWARE HERE (filtered by error handling middlewares) diff --git a/kallithea/lib/auth.py b/kallithea/lib/auth.py --- a/kallithea/lib/auth.py +++ b/kallithea/lib/auth.py @@ -753,19 +753,14 @@ class LoginRequired(object): log.warning('API access to %s is not allowed', loc) raise HTTPForbidden() - # Only allow the following HTTP request methods. (We sometimes use POST - # requests with a '_method' set to 'PUT' or 'DELETE'; but that is only - # used for the route lookup, and does not affect request.method.) - if request.method not in ['GET', 'HEAD', 'POST', 'PUT']: + # Only allow the following HTTP request methods. + if request.method not in ['GET', 'HEAD', 'POST']: raise HTTPMethodNotAllowed() - # Also verify the _method override. This is only permitted in POST - # requests, and can specify PUT or DELETE. + # Also verify the _method override - no longer allowed _method = request.params.get('_method') if _method is None: pass # no override, no problem - elif request.method == 'POST' and _method.upper() in ['PUT', 'DELETE']: - pass # permitted override else: raise HTTPMethodNotAllowed()