# HG changeset patch
# User Mads Kiilerich <madski@unity3d.com>
# Date 1428370205 -7200
# Node ID ae947de541d5630e5505c7c8ded05cd37c7f232b
# Parent  0efca3ad8467debcf23dbdf9b4c50041f05d6c06
auth: check CSRF protection token when authenticating

Use pylons secure_form to get CSRF protection on all authenticated POSTs. This
fixes CVE-2015-0276.

GETs should not have any side effects and do thus not need CSRF protection.

Reported by Paul van Empelen.

diff -r 0efca3ad8467 -r ae947de541d5 kallithea/lib/auth.py
--- a/kallithea/lib/auth.py	Tue Apr 07 03:30:05 2015 +0200
+++ b/kallithea/lib/auth.py	Tue Apr 07 03:30:05 2015 +0200
@@ -39,6 +39,7 @@
 from pylons import url, request
 from pylons.controllers.util import abort, redirect
 from pylons.i18n.translation import _
+from webhelpers.pylonslib import secure_form
 from sqlalchemy import or_
 from sqlalchemy.orm.exc import ObjectDeletedError
 from sqlalchemy.orm import joinedload
@@ -764,6 +765,13 @@
                 else:
                     log.warning("API KEY ****%s *NOT* valid" % _api_key[-4:])
 
+        # CSRF protection - POSTs with session auth must contain correct token
+        if request.POST and user.is_authenticated and not api_access_valid:
+            token = request.POST.get(secure_form.token_key)
+            if not token or token != secure_form.authentication_token():
+                log.error('CSRF check failed')
+                return abort(403)
+
         log.debug('Checking if %s is authenticated @ %s' % (user.username, loc))
         reason = 'RegularAuth' if user.is_authenticated else 'APIAuth'