Mercurial > kallithea

changeset 5811:9b74296e6af6 stable

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
auth: further sanitize requests to prevent GET CSRF (CVE-2016-3691) Routes allows GET requests to override the HTTP method, which breaks the Kallithea CSRF protection (which only applies to POST requests). This commit blocks such GET request, preventing CSRF attacks.
author Søren Løvborg <sorenl@unity3d.com>
date Tue, 19 Apr 2016 18:02:56 +0200
parents 81057be7a5c1
children a84d40e9481f
files kallithea/lib/auth.py
diffstat 1 files changed, 10 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/kallithea/lib/auth.py	Tue Apr 19 16:57:38 2016 +0200
+++ b/kallithea/lib/auth.py	Tue Apr 19 18:02:56 2016 +0200
@@ -766,6 +766,16 @@
         if request.method not in ['GET', 'HEAD', 'POST', 'PUT']:
             return abort(405)
 
+        # Also verify the _method override. This is only permitted in POST
+        # requests, and can specify PUT or DELETE.
+        _method = request.params.get('_method')
+        if _method is None:
+            pass # no override, no problem
+        elif request.method == 'POST' and _method.upper() in ['PUT', 'DELETE']:
+            pass # permitted override
+        else:
+            raise HTTPMethodNotAllowed()
+
         # Make sure CSRF token never appears in the URL. If so, invalidate it.
         if secure_form.token_key in request.GET:
             log.error('CSRF key leak detected')