diff options
author | Simo Sorce <simo@redhat.com> | 2014-05-20 15:20:43 -0400 |
---|---|---|
committer | Simo Sorce <simo@redhat.com> | 2014-05-20 16:29:44 -0400 |
commit | 8d082183f55722777ef2ff4baaa0af9962c3ab2e (patch) | |
tree | e3539fca111c0aa4b7d8524455c817fec6cc0f84 /ipsilon/util | |
parent | 4fbacd9897dfcdcb23a325e78f837d9f8d372cb6 (diff) | |
download | ipsilon-8d082183f55722777ef2ff4baaa0af9962c3ab2e.tar.gz ipsilon-8d082183f55722777ef2ff4baaa0af9962c3ab2e.tar.xz ipsilon-8d082183f55722777ef2ff4baaa0af9962c3ab2e.zip |
Fix referer checks with escaped URLs
When a SP name included spaces the referer checker would fail to match
the url. It would try to return a 403 error, unfortunately this would
also trip as a return instead of an exception was used, ending up with
a 500 error being returned to the user.
Fix url checks by unquoting before comparing.
Fix error reporting by rasing an exception when needed instead of
returning.
Signed-off-by: Simo Sorce <simo@redhat.com>
Diffstat (limited to 'ipsilon/util')
-rwxr-xr-x | ipsilon/util/page.py | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/ipsilon/util/page.py b/ipsilon/util/page.py index 1968009..ae1f116 100755 --- a/ipsilon/util/page.py +++ b/ipsilon/util/page.py @@ -18,6 +18,7 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. from ipsilon.util.user import UserSession +from urllib import unquote import cherrypy @@ -45,6 +46,13 @@ class Page(object): self.user = None self.form = form + def _compare_urls(self, url1, url2): + u1 = unquote(url1) + u2 = unquote(url2) + if u1 == u2: + return True + return False + def __call__(self, *args, **kwargs): # pylint: disable=star-args self.user = UserSession().get_user() @@ -60,12 +68,16 @@ class Page(object): if callable(op): # Basic CSRF protection if cherrypy.request.method != 'GET': + url = cherrypy.url(relative=False) if 'referer' not in cherrypy.request.headers: - return cherrypy.HTTPError(403) + self._debug("Missing referer in %s request to %s" + % (cherrypy.request.method, url)) + raise cherrypy.HTTPError(403) referer = cherrypy.request.headers['referer'] - url = cherrypy.url(relative=False) - if referer != url: - return cherrypy.HTTPError(403) + if not self._compare_urls(referer, url): + self._debug("Wrong referer %s in request to %s" + % (referer, url)) + raise cherrypy.HTTPError(403) return op(*args, **kwargs) else: op = getattr(self, 'root', None) |