Changeset - 9b74296e6af6
Parent rev.
Child rev.
[Not reviewed]
stable
0 1 0
Søren Løvborg - 10 years ago 2016-04-19 18:02:56
sorenl@unity3d.com
auth: further sanitize requests to prevent GET CSRF (CVE-2016-3691)

Routes allows GET requests to override the HTTP method, which breaks
the Kallithea CSRF protection (which only applies to POST requests).

This commit blocks such GET request, preventing CSRF attacks.
1 file changed with 10 insertions and 0 deletions:
kallithea/lib/auth.py
10
0 comments (0 inline, 0 general)
kallithea/lib/auth.py
Show inline comments
 
@@ -757,24 +757,34 @@ class LoginRequired(object):
 
                    return redirect_to_login(_('Invalid API key'))
 
            else:
 
                # controller does not allow API access
 
                log.warning('API access to %s is not allowed', loc)
 
                return abort(403)
 

			




	
	
	
		
 
        # Only allow the following HTTP request methods. (We sometimes use POST

			




	
	
	
		
 
        # requests with a '_method' set to 'PUT' or 'DELETE'; but that is only

			




	
	
	
		
 
        # used for the route lookup, and does not affect request.method.)

			




	
	
	
		
 
        if request.method not in ['GET', 'HEAD', 'POST', 'PUT']:

			




	
	
	
		
 
            return abort(405)

			




	
	
	
		
 

			




	
	
	
		
 
        # Also verify the _method override. This is only permitted in POST

			




	
	
	
		
 
        # requests, and can specify PUT or DELETE.

			




	
	
	
		
 
        _method = request.params.get('_method')

			




	
	
	
		
 
        if _method is None:

			




	
	
	
		
 
            pass # no override, no problem

			




	
	
	
		
 
        elif request.method == 'POST' and _method.upper() in ['PUT', 'DELETE']:

			




	
	
	
		
 
            pass # permitted override

			




	
	
	
		
 
        else:

			




	
	
	
		
 
            raise HTTPMethodNotAllowed()

			




	
	
	
		
 

			




	
	
	
		
 
        # Make sure CSRF token never appears in the URL. If so, invalidate it.

			




	
	
	
		
 
        if secure_form.token_key in request.GET:

			




	
	
	
		
 
            log.error('CSRF key leak detected')

			




	
	
	
		
 
            session.pop(secure_form.token_key, None)

			




	
	
	
		
 
            session.save()

			




	
	
	
		
 
            from kallithea.lib import helpers as h

			




	
	
	
		
 
            h.flash(_("CSRF token leak has been detected - all form tokens have been expired"),

			




	
	
	
		
 
                    category='error')

			




	
	
	
		
 

			




	
	
	
		
 
        # CSRF protection: Whenever a request has ambient authority (whether

			




	
	
	
		
 
        # through a session cookie or its origin IP address), it must include

			




	
	
	
		
 
        # the correct token, unless the HTTP method is GET or HEAD (and thus

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.