kallithea Changeset - 2ac4a70134b6

Changeset - 2ac4a70134b6

Parent rev.

Child rev.

[Not reviewed]

default

0 2 0

Mads Kiilerich - 9 years ago 2016-08-04 14:23:36
madski@unity3d.com

auth: disallow PUT and _method method override

2 files changed with 4 insertions and 9 deletions:

kallithea/config/middleware.py

kallithea/lib/auth.py

0 comments (0 inline, 0 general)

kallithea/config/middleware.py

➞

Show inline comments

@@ @@ -38,49 +38,49 @@ def make_app(global_conf, full_stack=Tru @@
     ``global_conf``
         The inherited configuration for this application. Normally from
         the [DEFAULT] section of the Paste ini file.
     ``full_stack``
         Whether or not this application provides a full WSGI stack (by
         default, meaning it handles its own exceptions and errors).
         Disable full_stack when this application is "managed" by
         another WSGI middleware.
     ``app_conf``
         The application's local configuration. Normally specified in
         the [app:<name>] section of the Paste ini file (where <name>
         defaults to main).
     """
     # Configure the Pylons environment
     config = load_environment(global_conf, app_conf)
     # The Pylons WSGI app
     app = PylonsApp(config=config)
     # Routing/Session/Cache Middleware
     app = RoutesMiddleware(app, config['routes.map'])
+    app = RoutesMiddleware(app, config['routes.map'], use_method_override=False)
     app = SecureSessionMiddleware(app, config)
     # CUSTOM MIDDLEWARE HERE (filtered by error handling middlewares)
     if asbool(config['pdebug']):
         from kallithea.lib.profiler import ProfilingMiddleware
         app = ProfilingMiddleware(app)
     if asbool(full_stack):
         from kallithea.lib.middleware.sentry import Sentry
         from kallithea.lib.middleware.errormator import Errormator
         if Errormator and asbool(config['app_conf'].get('errormator')):
             app = Errormator(app, config)
         elif Sentry:
             app = Sentry(app, config)
         # Handle Python exceptions
         app = ErrorHandler(app, global_conf, **config['pylons.errorware'])
         # Display error documents for 401, 403, 404 status codes (and
         # 500 when debug is disabled)
         # Note: will buffer the output in memory!
         if asbool(config['debug']):
             app = StatusCodeRedirect(app)

kallithea/lib/auth.py

➞

Show inline comments

@@ @@ -732,61 +732,56 @@ class LoginRequired(object): @@
         user = controller.authuser
         loc = "%s:%s" % (controller.__class__.__name__, func.__name__)
         log.debug('Checking access for user %s @ %s', user, loc)
         if not AuthUser.check_ip_allowed(user, controller.ip_addr):
             raise _redirect_to_login(_('IP %s not allowed') % controller.ip_addr)
         # check if we used an API key and it's a valid one
         api_key = request.GET.get('api_key')
         if api_key is not None:
             # explicit controller is enabled or API is in our whitelist
             if self.api_access or allowed_api_access(loc, api_key=api_key):
                 if api_key in user.api_keys:
                     log.info('user %s authenticated with API key ****%s @ %s',
                              user, api_key[-4:], loc)
                     return func(*fargs, **fkwargs)
                 else:
                     log.warning('API key ****%s is NOT valid', api_key[-4:])
                     raise _redirect_to_login(_('Invalid API key'))
             else:
                 # controller does not allow API access
                 log.warning('API access to %s is not allowed', loc)
                 raise HTTPForbidden()
         # Only allow the following HTTP request methods. (We sometimes use POST
         # requests with a '_method' set to 'PUT' or 'DELETE'; but that is only
         # used for the route lookup, and does not affect request.method.)
         if request.method not in ['GET', 'HEAD', 'POST', 'PUT']:
         # Only allow the following HTTP request methods.
         if request.method not in ['GET', 'HEAD', 'POST']:
             raise HTTPMethodNotAllowed()
         # Also verify the _method override. This is only permitted in POST
         # requests, and can specify PUT or DELETE.
         # Also verify the _method override - no longer allowed
         _method = request.params.get('_method')
         if _method is None:
             pass # no override, no problem
         elif request.method == 'POST' and _method.upper() in ['PUT', 'DELETE']:
             pass # permitted override
         else:
             raise HTTPMethodNotAllowed()
         # Make sure CSRF token never appears in the URL. If so, invalidate it.
         if secure_form.token_key in request.GET:
             log.error('CSRF key leak detected')
             session.pop(secure_form.token_key, None)
             session.save()
             from kallithea.lib import helpers as h
             h.flash(_("CSRF token leak has been detected - all form tokens have been expired"),
                     category='error')
         # CSRF protection: Whenever a request has ambient authority (whether
         # through a session cookie or its origin IP address), it must include
         # the correct token, unless the HTTP method is GET or HEAD (and thus
         # guaranteed to be side effect free. In practice, the only situation
         # where we allow side effects without ambient authority is when the
         # authority comes from an API key; and that is handled above.
         if request.method not in ['GET', 'HEAD']:
             token = request.POST.get(secure_form.token_key)
             if not token or token != secure_form.authentication_token():
                 log.error('CSRF check failed')
                 raise HTTPForbidden()

0 comments (0 inline, 0 general)