Changeset - ef392737c203
Parent rev.
Child rev.
[Not reviewed]
stable
0 1 0
Mads Kiilerich - 10 years ago 2015-09-26 02:34:37
madski@unity3d.com
auth: validate that the token protecting from CSRF attacks never is leaked

This will partly give some protection if it should happen, partly make sure the
leak doesn't go unnoticed but is found so it can be fixed.
1 file changed with 10 insertions and 1 deletions:
kallithea/lib/auth.py
10
1
0 comments (0 inline, 0 general)
kallithea/lib/auth.py
Show inline comments
 
@@ -31,13 +31,13 @@ import traceback
 
import hashlib
 
import itertools
 
import collections
 

			




	
	
	
		
 
from decorator import decorator

			




	
	
	
		
 

			




	
	
	
		
 
from pylons import url, request

			




	
	
	
		
 
from pylons import url, request, session

			




	
	
	
		
 
from pylons.controllers.util import abort, redirect

			




	
	
	
		
 
from pylons.i18n.translation import _

			




	
	
	
		
 
from webhelpers.pylonslib import secure_form

			




	
	
	
		
 
from sqlalchemy import or_

			




	
	
	
		
 
from sqlalchemy.orm.exc import ObjectDeletedError

			




	
	
	
		
 
from sqlalchemy.orm import joinedload

			




	
	
		
 
@@ -763,12 +763,21 @@ class LoginRequired(object):

			




	
	
	
		
 
        # Only allow the following HTTP request methods. (We sometimes use POST

			




	
	
	
		
 
        # requests with a '_method' set to 'PUT' or 'DELETE'; but that is only

			




	
	
	
		
 
        # used for the route lookup, and does not affect request.method.)

			




	
	
	
		
 
        if request.method not in ['GET', 'HEAD', 'POST', 'PUT']:

			




	
	
	
		
 
            return abort(405)

			




	
	
	
		
 

			




	
	
	
		
 
        # Make sure CSRF token never appears in the URL. If so, invalidate it.

			




	
	
	
		
 
        if secure_form.token_key in request.GET:

			




	
	
	
		
 
            log.error('CSRF key leak detected')

			




	
	
	
		
 
            session.pop(secure_form.token_key, None)

			




	
	
	
		
 
            session.save()

			




	
	
	
		
 
            from kallithea.lib import helpers as h

			




	
	
	
		
 
            h.flash(_("CSRF token leak has been detected - all form tokens have been expired"),

			




	
	
	
		
 
                    category='error')

			




	
	
	
		
 

			




	
	
	
		
 
        # CSRF protection: Whenever a request has ambient authority (whether

			




	
	
	
		
 
        # through a session cookie or its origin IP address), it must include

			




	
	
	
		
 
        # the correct token, unless the HTTP method is GET or HEAD (and thus

			




	
	
	
		
 
        # guaranteed to be side effect free. In practice, the only situation

			




	
	
	
		
 
        # where we allow side effects without ambient authority is when the

			




	
	
	
		
 
        # authority comes from an API key; and that is handled above.

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.