Changeset - 9b74296e6af6
Parent rev.
Child rev.
[Not reviewed]
stable
0 1 0
Søren Løvborg - 10 years ago 2016-04-19 18:02:56
sorenl@unity3d.com
auth: further sanitize requests to prevent GET CSRF (CVE-2016-3691)

Routes allows GET requests to override the HTTP method, which breaks
the Kallithea CSRF protection (which only applies to POST requests).

This commit blocks such GET request, preventing CSRF attacks.
1 file changed with 10 insertions and 0 deletions:
kallithea/lib/auth.py
10
0 comments (0 inline, 0 general)
kallithea/lib/auth.py
Show inline comments
 
@@ -766,6 +766,16 @@ class LoginRequired(object):
 
        if request.method not in ['GET', 'HEAD', 'POST', 'PUT']:
 
            return abort(405)
 

			




	
	
	
		
 
        # Also verify the _method override. This is only permitted in POST

			




	
	
	
		
 
        # requests, and can specify PUT or DELETE.

			




	
	
	
		
 
        _method = request.params.get('_method')

			




	
	
	
		
 
        if _method is None:

			




	
	
	
		
 
            pass # no override, no problem

			




	
	
	
		
 
        elif request.method == 'POST' and _method.upper() in ['PUT', 'DELETE']:

			




	
	
	
		
 
            pass # permitted override

			




	
	
	
		
 
        else:

			




	
	
	
		
 
            raise HTTPMethodNotAllowed()

			




	
	
	
		
 

			




	
	
	
		
 
        # Make sure CSRF token never appears in the URL. If so, invalidate it.

			




	
	
	
		
 
        if secure_form.token_key in request.GET:

			




	
	
	
		
 
            log.error('CSRF key leak detected')

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.