# HG changeset patch
# User Søren Løvborg <sorenl@unity3d.com>
# Date 2016-04-19 18:02:56
# Node ID 9b74296e6af624023970d8634e804b76ed2dd2b4
# Parent  81057be7a5c10e1cd08d32c923468e41cf417ed1

auth: further sanitize requests to prevent GET CSRF (CVE-2016-3691)

Routes allows GET requests to override the HTTP method, which breaks
the Kallithea CSRF protection (which only applies to POST requests).

This commit blocks such GET request, preventing CSRF attacks.

diff --git a/kallithea/lib/auth.py b/kallithea/lib/auth.py
--- a/kallithea/lib/auth.py
+++ b/kallithea/lib/auth.py
@@ -766,6 +766,16 @@ class LoginRequired(object):
         if request.method not in ['GET', 'HEAD', 'POST', 'PUT']:
             return abort(405)
 
+        # Also verify the _method override. This is only permitted in POST
+        # requests, and can specify PUT or DELETE.
+        _method = request.params.get('_method')
+        if _method is None:
+            pass # no override, no problem
+        elif request.method == 'POST' and _method.upper() in ['PUT', 'DELETE']:
+            pass # permitted override
+        else:
+            raise HTTPMethodNotAllowed()
+
         # Make sure CSRF token never appears in the URL. If so, invalidate it.
         if secure_form.token_key in request.GET:
             log.error('CSRF key leak detected')