Mercurial > kallithea
changeset 6110:2ac4a70134b6
auth: disallow PUT and _method method override
| author | Mads Kiilerich <madski@unity3d.com> |
|---|---|
| date | Thu, 04 Aug 2016 14:23:36 +0200 |
| parents | 23ff4e66391a |
| children | 9c1fe6f96146 |
| files | kallithea/config/middleware.py kallithea/lib/auth.py |
| diffstat | 2 files changed, 4 insertions(+), 9 deletions(-) [+] |
line wrap: on
line diff
--- a/kallithea/config/middleware.py Thu Aug 04 14:23:36 2016 +0200 +++ b/kallithea/config/middleware.py Thu Aug 04 14:23:36 2016 +0200 @@ -59,7 +59,7 @@ app = PylonsApp(config=config) # Routing/Session/Cache Middleware - app = RoutesMiddleware(app, config['routes.map']) + app = RoutesMiddleware(app, config['routes.map'], use_method_override=False) app = SecureSessionMiddleware(app, config) # CUSTOM MIDDLEWARE HERE (filtered by error handling middlewares)
--- a/kallithea/lib/auth.py Thu Aug 04 14:23:36 2016 +0200 +++ b/kallithea/lib/auth.py Thu Aug 04 14:23:36 2016 +0200 @@ -753,19 +753,14 @@ log.warning('API access to %s is not allowed', loc) raise HTTPForbidden() - # Only allow the following HTTP request methods. (We sometimes use POST - # requests with a '_method' set to 'PUT' or 'DELETE'; but that is only - # used for the route lookup, and does not affect request.method.) - if request.method not in ['GET', 'HEAD', 'POST', 'PUT']: + # Only allow the following HTTP request methods. + if request.method not in ['GET', 'HEAD', 'POST']: raise HTTPMethodNotAllowed() - # Also verify the _method override. This is only permitted in POST - # requests, and can specify PUT or DELETE. + # Also verify the _method override - no longer allowed _method = request.params.get('_method') if _method is None: pass # no override, no problem - elif request.method == 'POST' and _method.upper() in ['PUT', 'DELETE']: - pass # permitted override else: raise HTTPMethodNotAllowed()