From 2d6eeb205e196cc6556f832555e74968619c0f1e Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Thu, 20 Oct 2011 11:29:26 -0400 Subject: Require an HTTP Referer header in the server. Send one in ipa tools. This is to prevent a Cross-Site Request Forgery (CSRF) attack where a rogue server tricks a user who was logged into the FreeIPA management interface into visiting a specially-crafted URL where the attacker could perform FreeIPA oonfiguration changes with the privileges of the logged-in user. https://bugzilla.redhat.com/show_bug.cgi?id=747710 --- ipaserver/rpcserver.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'ipaserver/rpcserver.py') diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index 68d4379bb..e12f2706e 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -27,7 +27,7 @@ from cgi import parse_qs from xml.sax.saxutils import escape from xmlrpclib import Fault from ipalib.backend import Executioner -from ipalib.errors import PublicError, InternalError, CommandError, JSONError, ConversionError, CCacheError +from ipalib.errors import PublicError, InternalError, CommandError, JSONError, ConversionError, CCacheError, RefererError from ipalib.request import context, Connection, destroy_context from ipalib.rpc import xml_dumps, xml_loads from ipalib.util import make_repr @@ -200,6 +200,11 @@ class WSGIExecutioner(Executioner): options = {} if not 'KRB5CCNAME' in environ: return self.marshal(result, CCacheError(), _id) + self.debug('Request environment: %s' % environ) + if not 'HTTP_REFERER' in environ: + return self.marshal(result, RefererError(referer='missing'), _id) + if not environ['HTTP_REFERER'].startswith('https://%s/ipa' % self.api.env.host) and not self.env.in_tree: + return self.marshal(result, RefererError(referer=environ['HTTP_REFERER']), _id) try: if ('HTTP_ACCEPT_LANGUAGE' in environ): lang_reg_w_q = environ['HTTP_ACCEPT_LANGUAGE'].split(',')[0] -- cgit