2
0
mirror of https://github.com/xcat2/confluent.git synced 2024-11-26 11:30:23 +00:00

Exempt Web Forwarding from CSRF

Web forward from popup context requires it be exempt from CSRF
protection.  This is harmless (as all GET should be, but erring on side
of caution), so add it to the whitelist of CSRF skipping on a CSRF
enabled client session.
This commit is contained in:
Jarrod Johnson 2017-10-16 10:20:49 -04:00
parent 8694eca40b
commit a962a5afc3

View File

@ -216,11 +216,17 @@ def _should_skip_authlog(env):
return True
return False
def _csrf_exempt(path):
# first a get of info to get CSRF key, also '/forward/web' to enable
# the popup ability to just forward
return path == '/sessions/current/info' or path.endswith('/forward/web')
def _csrf_valid(env, session):
# This could be simplified into a statement, but this is more readable
# to have it broken out
if (env['REQUEST_METHOD'] == 'GET' and
env['PATH_INFO'] == '/sessions/current/info'):
if (env['REQUEST_METHOD'] == 'GET' and _csrf_exmept(env['PATH_INFO']):
# Provide a web client a safe hook to request the CSRF token
# This means that we consider GET of /sessions/current/info to be
# a safe thing to inflict via CSRF, since CORS should prevent