diff options
author | Rob Crittenden <rcritten@redhat.com> | 2011-10-20 11:29:26 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2011-12-12 17:36:45 -0500 |
commit | 2d6eeb205e196cc6556f832555e74968619c0f1e (patch) | |
tree | 181ae3111506bd2f6dc9eda172f262b14e613e00 /ipalib/rpc.py | |
parent | da4b4fc4d9ef42f8ca46d5b5f405b93ba84f07d0 (diff) | |
download | freeipa-2d6eeb205e196cc6556f832555e74968619c0f1e.tar.gz freeipa-2d6eeb205e196cc6556f832555e74968619c0f1e.tar.xz freeipa-2d6eeb205e196cc6556f832555e74968619c0f1e.zip |
Require an HTTP Referer header in the server. Send one in ipa tools.
This is to prevent a Cross-Site Request Forgery (CSRF) attack where
a rogue server tricks a user who was logged into the FreeIPA
management interface into visiting a specially-crafted URL where
the attacker could perform FreeIPA oonfiguration changes with the
privileges of the logged-in user.
https://bugzilla.redhat.com/show_bug.cgi?id=747710
Diffstat (limited to 'ipalib/rpc.py')
-rw-r--r-- | ipalib/rpc.py | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/ipalib/rpc.py b/ipalib/rpc.py index f8e4d9e6a..8ec3a2f27 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -208,6 +208,9 @@ class LanguageAwareTransport(Transport): extra_headers.append( ('Accept-Language', lang.replace('_', '-')) ) + extra_headers.append( + ('Referer', 'https://%s/ipa/xml' % str(host)) + ) return (host, extra_headers, x509) |