# HG changeset patch # User Mads Kiilerich # Date 1470313416 -7200 # Node ID 2ac4a70134b63b87347d97a9e9f7c5743e2f305e # Parent 23ff4e66391a221501ce5cc0e600c95a2062fc0b auth: disallow PUT and _method method override diff -r 23ff4e66391a -r 2ac4a70134b6 kallithea/config/middleware.py --- a/kallithea/config/middleware.py Thu Aug 04 14:23:36 2016 +0200 +++ b/kallithea/config/middleware.py Thu Aug 04 14:23:36 2016 +0200 @@ -59,7 +59,7 @@ app = PylonsApp(config=config) # Routing/Session/Cache Middleware - app = RoutesMiddleware(app, config['routes.map']) + app = RoutesMiddleware(app, config['routes.map'], use_method_override=False) app = SecureSessionMiddleware(app, config) # CUSTOM MIDDLEWARE HERE (filtered by error handling middlewares) diff -r 23ff4e66391a -r 2ac4a70134b6 kallithea/lib/auth.py --- a/kallithea/lib/auth.py Thu Aug 04 14:23:36 2016 +0200 +++ b/kallithea/lib/auth.py Thu Aug 04 14:23:36 2016 +0200 @@ -753,19 +753,14 @@ log.warning('API access to %s is not allowed', loc) raise HTTPForbidden() - # Only allow the following HTTP request methods. (We sometimes use POST - # requests with a '_method' set to 'PUT' or 'DELETE'; but that is only - # used for the route lookup, and does not affect request.method.) - if request.method not in ['GET', 'HEAD', 'POST', 'PUT']: + # Only allow the following HTTP request methods. + if request.method not in ['GET', 'HEAD', 'POST']: raise HTTPMethodNotAllowed() - # Also verify the _method override. This is only permitted in POST - # requests, and can specify PUT or DELETE. + # Also verify the _method override - no longer allowed _method = request.params.get('_method') if _method is None: pass # no override, no problem - elif request.method == 'POST' and _method.upper() in ['PUT', 'DELETE']: - pass # permitted override else: raise HTTPMethodNotAllowed()