diff options
author | Rob Crittenden <rcritten@redhat.com> | 2011-10-20 11:29:26 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2011-12-12 17:36:45 -0500 |
commit | 2d6eeb205e196cc6556f832555e74968619c0f1e (patch) | |
tree | 181ae3111506bd2f6dc9eda172f262b14e613e00 /ipa-client/ipa-install/ipa-client-install | |
parent | da4b4fc4d9ef42f8ca46d5b5f405b93ba84f07d0 (diff) | |
download | freeipa-2d6eeb205e196cc6556f832555e74968619c0f1e.tar.gz freeipa-2d6eeb205e196cc6556f832555e74968619c0f1e.tar.xz freeipa-2d6eeb205e196cc6556f832555e74968619c0f1e.zip |
Require an HTTP Referer header in the server. Send one in ipa tools.
This is to prevent a Cross-Site Request Forgery (CSRF) attack where
a rogue server tricks a user who was logged into the FreeIPA
management interface into visiting a specially-crafted URL where
the attacker could perform FreeIPA oonfiguration changes with the
privileges of the logged-in user.
https://bugzilla.redhat.com/show_bug.cgi?id=747710
Diffstat (limited to 'ipa-client/ipa-install/ipa-client-install')
-rwxr-xr-x | ipa-client/ipa-install/ipa-client-install | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index e763d07a7..8e945ce90 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -264,6 +264,9 @@ def uninstall(options, env, quiet=False): if not options.on_master and os.path.exists('/etc/ipa/default.conf'): emit_quiet(quiet, "Unenrolling client from IPA server") join_args = ["/usr/sbin/ipa-join", "--unenroll", "-h", hostname] + if options.debug: + join_args.append("-d") + env['XMLRPC_TRACE_CURL'] = 'yes' (stdout, stderr, returncode) = run(join_args, raiseonerr=False, env=env) if returncode != 0: emit_quiet(quiet, "Unenrolling host failed: %s" % stderr) @@ -1037,6 +1040,7 @@ def install(options, env, fstore, statestore): join_args = ["/usr/sbin/ipa-join", "-s", cli_server, "-b", realm_to_suffix(cli_realm)] if options.debug: join_args.append("-d") + env['XMLRPC_TRACE_CURL'] = 'yes' if options.hostname: join_args.append("-h") join_args.append(options.hostname) |