kallithea Changeset - ae947de541d5

Changeset - ae947de541d5

Parent rev.

Child rev.

[Not reviewed]

default

0 1 0

Mads Kiilerich - 11 years ago 2015-04-07 03:30:05
madski@unity3d.com

auth: check CSRF protection token when authenticating

Use pylons secure_form to get CSRF protection on all authenticated POSTs. This
fixes CVE-2015-0276.

GETs should not have any side effects and do thus not need CSRF protection.

Reported by Paul van Empelen.

1 file changed with 8 insertions and 0 deletions:

kallithea/lib/auth.py

0 comments (0 inline, 0 general)

kallithea/lib/auth.py

➞

Show inline comments

@@ @@ -39,6 +39,7 @@ from decorator import decorator @@
 from pylons import url, request
 from pylons.controllers.util import abort, redirect
 from pylons.i18n.translation import _
 from webhelpers.pylonslib import secure_form
 from sqlalchemy import or_
 from sqlalchemy.orm.exc import ObjectDeletedError
 from sqlalchemy.orm import joinedload
@@ @@ -764,6 +765,13 @@ class LoginRequired(object): @@
                 else:
                     log.warning("API KEY ****%s *NOT* valid" % _api_key[-4:])
         # CSRF protection - POSTs with session auth must contain correct token
         if request.POST and user.is_authenticated and not api_access_valid:
             token = request.POST.get(secure_form.token_key)
             if not token or token != secure_form.authentication_token():
                 log.error('CSRF check failed')
                 return abort(403)
         log.debug('Checking if %s is authenticated @ %s' % (user.username, loc))
         reason = 'RegularAuth' if user.is_authenticated else 'APIAuth'

0 comments (0 inline, 0 general)