kallithea Changeset - 2ac4a70134b6

Changeset - 2ac4a70134b6

Parent rev.

Child rev.

[Not reviewed]

default

0 2 0

Mads Kiilerich - 9 years ago 2016-08-04 14:23:36
madski@unity3d.com

auth: disallow PUT and _method method override

2 files changed with 4 insertions and 9 deletions:

kallithea/config/middleware.py

kallithea/lib/auth.py

0 comments (0 inline, 0 general)

kallithea/config/middleware.py

➞

Show inline comments

@@ @@ -59,7 +59,7 @@ def make_app(global_conf, full_stack=Tru @@
     app = PylonsApp(config=config)
     # Routing/Session/Cache Middleware
     app = RoutesMiddleware(app, config['routes.map'])
+    app = RoutesMiddleware(app, config['routes.map'], use_method_override=False)
     app = SecureSessionMiddleware(app, config)
     # CUSTOM MIDDLEWARE HERE (filtered by error handling middlewares)

kallithea/lib/auth.py

➞

Show inline comments

@@ @@ -753,19 +753,14 @@ class LoginRequired(object): @@
                 log.warning('API access to %s is not allowed', loc)
                 raise HTTPForbidden()
         # Only allow the following HTTP request methods. (We sometimes use POST
         # requests with a '_method' set to 'PUT' or 'DELETE'; but that is only
         # used for the route lookup, and does not affect request.method.)
         if request.method not in ['GET', 'HEAD', 'POST', 'PUT']:
         # Only allow the following HTTP request methods.
         if request.method not in ['GET', 'HEAD', 'POST']:
             raise HTTPMethodNotAllowed()
         # Also verify the _method override. This is only permitted in POST
         # requests, and can specify PUT or DELETE.
         # Also verify the _method override - no longer allowed
         _method = request.params.get('_method')
         if _method is None:
             pass # no override, no problem
         elif request.method == 'POST' and _method.upper() in ['PUT', 'DELETE']:
             pass # permitted override
         else:
             raise HTTPMethodNotAllowed()

0 comments (0 inline, 0 general)