Files @ a041321d2aa1
Branch filter:

Location: kallithea/CONTRIBUTORS

a041321d2aa1 3.2 KiB text/plain Show Annotation Show as Raw Download as Raw
Søren Løvborg
security: apply CSRF check to all non-GET requests

The automatic CSRF protection was broken for POST requests with no
request payload parameters (but possibly containing request URI
parameters); a security hole was narrowly avoided because the code
base quite consistently checks the request method in the same way,
and because of browser protection against PUT/DELETE CSRF attacks.

Since explicit is better than implicit, the better way of checking
the HTTP request method is to simply check request.method, instead
of checking if request.POST is non-empty, which is subtly different
(it doesn't catch POST requests if all parameters are in the query
string) and non-obvious (because it also applies to PUT requests).

The commit also fixes some tests which relied on the CSRF protection
being broken. It does not fix all the controllers that still does
the misleading request.POST check, but since the CSRF check has now
been tightened, those are no longer a potential security issue.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
List of contributors to Kallithea project:
    Marcin Kuźmiński <marcin@python-works.com>
    Lukasz Balcerzak <lukaszbalcerzak@gmail.com>
    Jason Harris <jason@jasonfharris.com>
    Thayne Harbaugh  <thayne@fusionio.com>
    cejones <>
    Thomas Waldmann <tw-public@gmx.de>
    Lorenzo M. Catucci <lorenzo@sancho.ccd.uniroma2.it>
    Dmitri Kuznetsov <>
    Jared Bunting <jared.bunting@peachjean.com>
    Steve Romanow <slestak989@gmail.com>
    Augosto Hermann <augusto.herrmann@planejamento.gov.br>
    Ankit Solanki <ankit.solanki@gmail.com>
    Liad Shani <liadff@gmail.com>
    Les Peabody <lpeabody@gmail.com>
    Jonas Oberschweiber <jonas.oberschweiber@d-velop.de>
    Matt Zuba <matt.zuba@goodwillaz.org>
    Aras Pranckevicius <aras@unity3d.com>
    Tony Bussieres <t.bussieres@gmail.com>
    Erwin Kroon <e.kroon@smartmetersolutions.nl>
    nansenat16 <nansenat16@null.tw>
    Vincent Duvert <vincent@duvert.net>
    Takumi IINO <trot.thunder@gmail.com>
    Indra Talip <indra.talip@gmail.com>
    James Rhodes <jrhodes@redpointsoftware.com.au>
    Dominik Ruf <dominikruf@gmail.com>
    xpol <xpolife@gmail.com>
    Vincent Caron <vcaron@bearstech.com>
    Zachary Auclair <zach101@gmail.com>
    Stefan Engel <mail@engel-stefan.de>
    Andrew Shadura <andrew@shadura.me>
    Raoul Thill <raoul.thill@gmail.com>
    Philip Jameson <philip.j@hostdime.com>
    Mads Kiilerich <madski@unity3d.com>
    Dan Sheridan <djs@adelard.com>
    Dennis Brakhane <brakhane@googlemail.com>
    Simon Lopez <simon.lopez@slopez.org>
    Jonathan Sternberg <jonathansternberg@gmail.com>
    Grzegorz Rożniecki <xaerxess@gmail.com>
    Andrew Kesterson <andrew@aklabs.net>
    David A. Sjøen <david.sjoen@westcon.no>
    Jelmer Vernooij <jelmer@samba.org>
    larikale
    SteveCohen
    RhodeCode GmbH
    Sebastian Kreutzberger <sebastian@rhodecode.com>
    thomas <thomas@rhodecode.com>
    Bradley M. Kuhn <bkuhn@sfconservancy.org>
    Sean Farley <sean.michael.farley@gmail.com>
    Martin Vium <martinv@unity3d.com>
    Daniel Anderson <daniel@dattrix.com>
    Travis Burtrum <android@moparisthebest.com>
    Calinou <calinou@opmbx.org>
    Christian Oyarzun <oyarzun@gmail.com>
    Denis Blanchette <dblanchette@coveo.com>
    duanhongyi <duanhongyi@doopai.com>
    Henrik Stuart <hg@hstuart.dk>
    Ingo von Borstel <kallithea@planetmaker.de>
    Jan Heylen <heyleke@gmail.com>
    Jim Hague <jim.hague@acm.org>
    Joseph Rivera <rivera.d.joseph@gmail.com>
    Kazunari Kobayashi <kobanari@nifty.com>
    Matt Fellows <kallithea@matt-fellows.me.uk>
    Max Roman <max@choloclos.se>
    Michael Pohl <michael@mipapo.de>
    Michael V. DePalatis <mike@depalatis.net>
    Michal Čihař <michal@cihar.com>
    Morten Skaaning <mortens@unity3d.com>
    Na'Tosha Bard <natosha@unity3d.com>
    Nick High <nick@silverchip.org>
    Niemand Jedermann <predatorix@web.de>
    Peter Vitt <petervitt@web.de>
    Sam Jaques <sam.jaques@me.com>
    Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
    Tuux <tuxa@galaxie.eu.org>
    Zoltan Gyarmati <mr.zoltan.gyarmati@gmail.com>
    Kevin Bullock <kbullock@ringworld.org>
    Marc Villetard <marc.villetard@gmail.com>
    Matthias Zilk <matthias.zilk@gmail.com>
    Tim Freund <tim@freunds.net>
This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3.