xCAT/confluent
2
0
Fork 0
mirror of https://github.com/xcat2/confluent.git synced 2025-02-05 05:22:08 +00:00
Code Issues Projects Releases Wiki Activity

Prevent GET from indicating a non-idempotent opreation

Browse Source 
This could bypass CSRF protection in theory.
This commit is contained in:
Jarrod Johnson 2020-04-16 12:08:47 -04:00
parent bc03da47af
commit f97fd3105f
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
confluent_server/confluent/httpapi.py
View File

@ -416,7 +416,7 @@ def resourcehandler_backend(env, start_response):
reqtype = env['CONTENT_TYPE']
operation = opmap[env['REQUEST_METHOD']]
querydict = _get_query_dict(env, reqbody, reqtype)
if 'restexplorerop' in querydict:
if operation != 'retrieve' and 'restexplorerop' in querydict:
operation = querydict['restexplorerop']
del querydict['restexplorerop']
authorized = _authorize_request(env, operation)