From 2d6eeb205e196cc6556f832555e74968619c0f1e Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 20 Oct 2011 11:29:26 -0400
Subject: Require an HTTP Referer header in the server. Send one in ipa tools.

This is to prevent a Cross-Site Request Forgery (CSRF) attack where
a rogue server tricks a user who was logged into the FreeIPA
management interface into visiting a specially-crafted URL where
the attacker could perform FreeIPA oonfiguration changes with the
privileges of the logged-in user.

https://bugzilla.redhat.com/show_bug.cgi?id=747710
---
 ipalib/rpc.py | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'ipalib/rpc.py')

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index f8e4d9e6..8ec3a2f2 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -208,6 +208,9 @@ class LanguageAwareTransport(Transport):
         extra_headers.append(
             ('Accept-Language', lang.replace('_', '-'))
         )
+        extra_headers.append(
+            ('Referer', 'https://%s/ipa/xml' % str(host))
+        )
 
         return (host, extra_headers, x509)
 
-- 
cgit