Mercurial > kallithea
changeset 4994:ae947de541d5
auth: check CSRF protection token when authenticating
Use pylons secure_form to get CSRF protection on all authenticated POSTs. This
fixes CVE-2015-0276.
GETs should not have any side effects and do thus not need CSRF protection.
Reported by Paul van Empelen.
| author | Mads Kiilerich <madski@unity3d.com> |
|---|---|
| date | Tue, 07 Apr 2015 03:30:05 +0200 |
| parents | 0efca3ad8467 |
| children | ad0ce803b40c 9885bbacf99c |
| files | kallithea/lib/auth.py |
| diffstat | 1 files changed, 8 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/kallithea/lib/auth.py Tue Apr 07 03:30:05 2015 +0200 +++ b/kallithea/lib/auth.py Tue Apr 07 03:30:05 2015 +0200 @@ -39,6 +39,7 @@ from pylons import url, request from pylons.controllers.util import abort, redirect from pylons.i18n.translation import _ +from webhelpers.pylonslib import secure_form from sqlalchemy import or_ from sqlalchemy.orm.exc import ObjectDeletedError from sqlalchemy.orm import joinedload @@ -764,6 +765,13 @@ else: log.warning("API KEY ****%s *NOT* valid" % _api_key[-4:]) + # CSRF protection - POSTs with session auth must contain correct token + if request.POST and user.is_authenticated and not api_access_valid: + token = request.POST.get(secure_form.token_key) + if not token or token != secure_form.authentication_token(): + log.error('CSRF check failed') + return abort(403) + log.debug('Checking if %s is authenticated @ %s' % (user.username, loc)) reason = 'RegularAuth' if user.is_authenticated else 'APIAuth'