kallithea Changeset - ef392737c203

Changeset - ef392737c203

Parent rev.

Child rev.

[Not reviewed]

stable

0 1 0

Mads Kiilerich - 10 years ago 2015-09-26 02:34:37
madski@unity3d.com

auth: validate that the token protecting from CSRF attacks never is leaked

This will partly give some protection if it should happen, partly make sure the
leak doesn't go unnoticed but is found so it can be fixed.

1 file changed with 10 insertions and 1 deletions:

kallithea/lib/auth.py

0 comments (0 inline, 0 general)

kallithea/lib/auth.py

➞

Show inline comments

@@ @@ -34,7 +34,7 @@ import collections @@
 from decorator import decorator
 from pylons import url, request
+from pylons import url, request, session
 from pylons.controllers.util import abort, redirect
 from pylons.i18n.translation import _
 from webhelpers.pylonslib import secure_form
@@ @@ -766,6 +766,15 @@ class LoginRequired(object): @@
         if request.method not in ['GET', 'HEAD', 'POST', 'PUT']:
             return abort(405)
         # Make sure CSRF token never appears in the URL. If so, invalidate it.
         if secure_form.token_key in request.GET:
             log.error('CSRF key leak detected')
             session.pop(secure_form.token_key, None)
             session.save()
             from kallithea.lib import helpers as h
             h.flash(_("CSRF token leak has been detected - all form tokens have been expired"),
                     category='error')
         # CSRF protection: Whenever a request has ambient authority (whether
         # through a session cookie or its origin IP address), it must include
         # the correct token, unless the HTTP method is GET or HEAD (and thus

0 comments (0 inline, 0 general)