From f97fd3105f84278e81740068c3eda0ff90963df2 Mon Sep 17 00:00:00 2001 From: Jarrod Johnson Date: Thu, 16 Apr 2020 12:08:47 -0400 Subject: [PATCH] Prevent GET from indicating a non-idempotent opreation This could bypass CSRF protection in theory. --- confluent_server/confluent/httpapi.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/confluent_server/confluent/httpapi.py b/confluent_server/confluent/httpapi.py index 669411f9..986ce51b 100644 --- a/confluent_server/confluent/httpapi.py +++ b/confluent_server/confluent/httpapi.py @@ -416,7 +416,7 @@ def resourcehandler_backend(env, start_response): reqtype = env['CONTENT_TYPE'] operation = opmap[env['REQUEST_METHOD']] querydict = _get_query_dict(env, reqbody, reqtype) - if 'restexplorerop' in querydict: + if operation != 'retrieve' and 'restexplorerop' in querydict: operation = querydict['restexplorerop'] del querydict['restexplorerop'] authorized = _authorize_request(env, operation)