diff options
author | Rob Crittenden <rcritten@redhat.com> | 2011-10-20 11:29:26 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2011-12-12 17:36:45 -0500 |
commit | 2d6eeb205e196cc6556f832555e74968619c0f1e (patch) | |
tree | 181ae3111506bd2f6dc9eda172f262b14e613e00 /ipaserver/rpcserver.py | |
parent | da4b4fc4d9ef42f8ca46d5b5f405b93ba84f07d0 (diff) | |
download | freeipa-2d6eeb205e196cc6556f832555e74968619c0f1e.tar.gz freeipa-2d6eeb205e196cc6556f832555e74968619c0f1e.tar.xz freeipa-2d6eeb205e196cc6556f832555e74968619c0f1e.zip |
Require an HTTP Referer header in the server. Send one in ipa tools.
This is to prevent a Cross-Site Request Forgery (CSRF) attack where
a rogue server tricks a user who was logged into the FreeIPA
management interface into visiting a specially-crafted URL where
the attacker could perform FreeIPA oonfiguration changes with the
privileges of the logged-in user.
https://bugzilla.redhat.com/show_bug.cgi?id=747710
Diffstat (limited to 'ipaserver/rpcserver.py')
-rw-r--r-- | ipaserver/rpcserver.py | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index 68d4379bb..e12f2706e 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -27,7 +27,7 @@ from cgi import parse_qs from xml.sax.saxutils import escape from xmlrpclib import Fault from ipalib.backend import Executioner -from ipalib.errors import PublicError, InternalError, CommandError, JSONError, ConversionError, CCacheError +from ipalib.errors import PublicError, InternalError, CommandError, JSONError, ConversionError, CCacheError, RefererError from ipalib.request import context, Connection, destroy_context from ipalib.rpc import xml_dumps, xml_loads from ipalib.util import make_repr @@ -200,6 +200,11 @@ class WSGIExecutioner(Executioner): options = {} if not 'KRB5CCNAME' in environ: return self.marshal(result, CCacheError(), _id) + self.debug('Request environment: %s' % environ) + if not 'HTTP_REFERER' in environ: + return self.marshal(result, RefererError(referer='missing'), _id) + if not environ['HTTP_REFERER'].startswith('https://%s/ipa' % self.api.env.host) and not self.env.in_tree: + return self.marshal(result, RefererError(referer=environ['HTTP_REFERER']), _id) try: if ('HTTP_ACCEPT_LANGUAGE' in environ): lang_reg_w_q = environ['HTTP_ACCEPT_LANGUAGE'].split(',')[0] |