Changeset - ae947de541d5
Parent rev.
Child rev.
[Not reviewed]
default
0 1 0
Mads Kiilerich - 11 years ago 2015-04-07 03:30:05
madski@unity3d.com
auth: check CSRF protection token when authenticating

Use pylons secure_form to get CSRF protection on all authenticated POSTs. This
fixes CVE-2015-0276.

GETs should not have any side effects and do thus not need CSRF protection.

Reported by Paul van Empelen.
1 file changed with 8 insertions and 0 deletions:
kallithea/lib/auth.py
8
0 comments (0 inline, 0 general)
kallithea/lib/auth.py
Show inline comments
 
@@ -36,12 +36,13 @@ import collections
 
from tempfile import _RandomNameSequence
 
from decorator import decorator
 

			




	
	
	
		
 
from pylons import url, request

			




	
	
	
		
 
from pylons.controllers.util import abort, redirect

			




	
	
	
		
 
from pylons.i18n.translation import _

			




	
	
	
		
 
from webhelpers.pylonslib import secure_form

			




	
	
	
		
 
from sqlalchemy import or_

			




	
	
	
		
 
from sqlalchemy.orm.exc import ObjectDeletedError

			




	
	
	
		
 
from sqlalchemy.orm import joinedload

			




	
	
	
		
 

			




	
	
	
		
 
from kallithea import __platform__, is_windows, is_unix

			




	
	
	
		
 
from kallithea.lib.vcs.utils.lazy import LazyProperty

			




	
	
		
 
@@ -761,12 +762,19 @@ class LoginRequired(object):

			




	
	
	
		
 
                api_access_valid = False

			




	
	
	
		
 
                if not _api_key:

			




	
	
	
		
 
                    log.debug("API KEY *NOT* present in request")

			




	
	
	
		
 
                else:

			




	
	
	
		
 
                    log.warning("API KEY ****%s *NOT* valid" % _api_key[-4:])

			




	
	
	
		
 

			




	
	
	
		
 
        # CSRF protection - POSTs with session auth must contain correct token

			




	
	
	
		
 
        if request.POST and user.is_authenticated and not api_access_valid:

			




	
	
	
		
 
            token = request.POST.get(secure_form.token_key)

			




	
	
	
		
 
            if not token or token != secure_form.authentication_token():

			




	
	
	
		
 
                log.error('CSRF check failed')

			




	
	
	
		
 
                return abort(403)

			




	
	
	
		
 

			




	
	
	
		
 
        log.debug('Checking if %s is authenticated @ %s' % (user.username, loc))

			




	
	
	
		
 
        reason = 'RegularAuth' if user.is_authenticated else 'APIAuth'

			




	
	
	
		
 

			




	
	
	
		
 
        if ip_access_valid and (user.is_authenticated or api_access_valid):

			




	
	
	
		
 
            log.info('user %s authenticating with:%s IS authenticated on func %s '

			




	
	
	
		
 
                     % (user, reason, loc)

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        Server instance: clio-30913
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.
            – Support