diff options
author | Rob Crittenden <rcritten@redhat.com> | 2011-10-20 11:29:26 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2011-12-05 16:02:24 -0500 |
commit | 9f10fb20e918e867c44932b478275d9754265ee1 (patch) | |
tree | d39ff2e127666d00916ec4a9342b11fd9018f0c6 /ipalib/rpc.py | |
parent | 89d9ad428cf48a3aac55173ecf074e0a234a5ee5 (diff) | |
download | freeipa.git-9f10fb20e918e867c44932b478275d9754265ee1.tar.gz freeipa.git-9f10fb20e918e867c44932b478275d9754265ee1.tar.xz freeipa.git-9f10fb20e918e867c44932b478275d9754265ee1.zip |
Require an HTTP Referer header in the server. Send one in ipa tools.
This is to prevent a Cross-Site Request Forgery (CSRF) attack where
a rogue server tricks a user who was logged into the FreeIPA
management interface into visiting a specially-crafted URL where
the attacker could perform FreeIPA oonfiguration changes with the
privileges of the logged-in user.
https://bugzilla.redhat.com/show_bug.cgi?id=747710
Diffstat (limited to 'ipalib/rpc.py')
-rw-r--r-- | ipalib/rpc.py | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/ipalib/rpc.py b/ipalib/rpc.py index f8e4d9e6..8ec3a2f2 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -208,6 +208,9 @@ class LanguageAwareTransport(Transport): extra_headers.append( ('Accept-Language', lang.replace('_', '-')) ) + extra_headers.append( + ('Referer', 'https://%s/ipa/xml' % str(host)) + ) return (host, extra_headers, x509) |