xCAT/confluent
2
0
Fork 0
mirror of https://github.com/xcat2/confluent.git synced 2024-11-26 03:19:48 +00:00
Code Issues Projects Releases Wiki Activity

Provide CSRF protection to logout resource

Browse Source 
Though more annoying than harmful, guard against CSRF succeeding
against the logout resource.
This commit is contained in:
Jarrod Johnson 2016-11-30 10:04:25 -05:00
parent 004d40e7ca
commit bf8dff90f3
1 changed files with 10 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
confluent_server/confluent/httpapi.py
View File

@ -268,27 +268,27 @@ def _authorize_request(env, operation):
sessionid = cc['confluentsessionid'].value
sessid = sessionid
if sessionid in httpsessions:
if env['PATH_INFO'] == '/sessions/current/logout':
targets = []
for mythread in httpsessions[sessionid]['inflight']:
targets.append(mythread)
for mythread in targets:
eventlet.greenthread.kill(mythread)
del httpsessions[sessionid]
return ('logout',)
if _csrf_valid(env, httpsessions[sessionid]):
if env['PATH_INFO'] == '/sessions/current/logout':
targets = []
for mythread in httpsessions[sessionid]['inflight']:
targets.append(mythread)
for mythread in targets:
eventlet.greenthread.kill(mythread)
del httpsessions[sessionid]
return ('logout',)
httpsessions[sessionid]['expiry'] = time.time() + 90
name = httpsessions[sessionid]['name']
authdata = auth.authorize(
name, element=None,
skipuserobj=httpsessions[sessionid]['skipuserobject'])
if (not authdata) and 'HTTP_AUTHORIZATION' in env:
if env['PATH_INFO'] == '/sessions/current/logout':
return ('logout',)
# We do not allow a link into the api browser to come in with just
# username and password
if 'HTTP_REFERER' in env:
return {'code': 401}
if env['PATH_INFO'] == '/sessions/current/logout':
return ('logout',)
name, passphrase = base64.b64decode(
env['HTTP_AUTHORIZATION'].replace('Basic ', '')).split(':', 1)
authdata = auth.check_user_passphrase(name, passphrase, element=None)