Recognize and use CSRF token

Newer versions of IMM firmware implement a mechanism to guard against CSRF. Use the provided token via custom header to prove that our requests are not CSRF. Change-Id: I6cc030302ecacdfedc8e2fcf6e7588a82db957e7
2025-01-27 19:37:44 +00:00 · 2016-10-25 14:22:29 -04:00 · 2016-10-25 14:22:29 -04:00 · a27d28fb0a
commit a27d28fb0a
parent 87be4c8a41
2 changed files with 7 additions and 1 deletions
--- a/pyghmi/ipmi/oem/lenovo/imm.py
+++ b/pyghmi/ipmi/oem/lenovo/imm.py
@ -55,6 +55,8 @@ def get_imm_webclient(imm, certverify, uid, password):
    if rsp.status == 200:
        rspdata = json.loads(rsp.read())
        if rspdata['authResult'] == '0' and rspdata['status'] == 'ok':
+            if 'token2_name' in rspdata and 'token2_value' in rspdata:
+                wc.set_header(rspdata['token2_name'], rspdata['token2_value'])
            return wc


--- a/pyghmi/util/webclient.py
+++ b/pyghmi/util/webclient.py
@ -39,6 +39,10 @@ class SecureHTTPConnection(httplib.HTTPConnection, object):
        self.cert_reqs = ssl.CERT_NONE  # verification will be done ssh style..
        self._certverify = verifycallback
        self.cookies = {}
+        self.stdheaders = {}
+
+    def set_header(self, key, value):
+        self.stdheaders[key] = value

    def connect(self):
        plainsock = socket.create_connection((self.host, self.port))
@ -68,7 +72,7 @@ class SecureHTTPConnection(httplib.HTTPConnection, object):

    def request(self, method, url, body=None, headers=None):
        if headers is None:
-            headers = {}
+            headers = self.stdheaders
        if self.cookies:
            cookies = []
            for ckey in self.cookies: