From 2d6eeb205e196cc6556f832555e74968619c0f1e Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 20 Oct 2011 11:29:26 -0400
Subject: Require an HTTP Referer header in the server. Send one in ipa tools.

This is to prevent a Cross-Site Request Forgery (CSRF) attack where
a rogue server tricks a user who was logged into the FreeIPA
management interface into visiting a specially-crafted URL where
the attacker could perform FreeIPA oonfiguration changes with the
privileges of the logged-in user.

https://bugzilla.redhat.com/show_bug.cgi?id=747710
---
 ipalib/errors.py | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

(limited to 'ipalib/errors.py')

diff --git a/ipalib/errors.py b/ipalib/errors.py
index 4463fee70..5b634880d 100644
--- a/ipalib/errors.py
+++ b/ipalib/errors.py
@@ -441,6 +441,23 @@ class XMLRPCMarshallError(PublicError):
     errno = 910
     format = _('error marshalling data for XML-RPC transport: %(error)s')
 
+
+class RefererError(PublicError):
+    """
+    **911** Raised when the the request does not contain an HTTP referer
+
+    For example:
+
+    >>> raise RefererError()
+    Traceback (most recent call last):
+      ...
+    RefererError: Missing or invalid HTTP Referer
+    """
+
+    errno = 911
+    format = _('Missing or invalid HTTP Referer, %(referer)s')
+
+
 ##############################################################################
 # 1000 - 1999: Authentication errors
 class AuthenticationError(PublicError):
-- 
cgit