Mercurial > p > roundup > code
comparison roundup/configuration.py @ 7155:89a59e46b3af
improve REST interface security
When using REST, we reflect the client's origin. If the wildcard '*'
is used in allowed_api_origins all origins are allowed. When this is
done, it also added an 'Access-Control-Allow-Credentials: true'
header.
This Credentials header should not be added if the site is matched
only by '*'. This header should be provided only for explicit origins
(e.g. https://example.org) not for the wildcard.
This is now fixed for CORS preflight OPTIONS request as well as normal
GET, PUT, DELETE, POST, PATCH and OPTIONS requests.
A missing Access-Control-Allow-Credentials will prevent the tracker
from being accessed using credentials. This prevents an unauthorized
third party web site from using a user's credentials to access
information in the tracker that is not publicly available.
Added test for this specific case.
In addition, allowed_api_origins can include explicit origins in
addition to '*'. '*' must be first in the list.
Also adapted numerous tests to work with these changes.
Doc updates.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Thu, 23 Feb 2023 12:01:33 -0500 |
| parents | 563f5327c5b5 |
| children | be7849588372 |
comparison
equal
deleted
inserted
replaced
| 7154:f614176903d0 | 7155:89a59e46b3af |
|---|---|
| 569 | 569 |
| 570 def set(self, _val): | 570 def set(self, _val): |
| 571 pathlist = self._value = [] | 571 pathlist = self._value = [] |
| 572 for elem in _val.split(): | 572 for elem in _val.split(): |
| 573 pathlist.append(elem) | 573 pathlist.append(elem) |
| 574 if '*' in pathlist and len(pathlist) != 1: | 574 if '*' in pathlist and pathlist[0] != '*': |
| 575 raise OptionValueError(self, _val, | 575 raise OptionValueError( |
| 576 "If using '*' it must be the only element.") | 576 self, _val, |
| 577 "If using '*' it must be the first element.") | |
| 577 | 578 |
| 578 def _value2str(self, value): | 579 def _value2str(self, value): |
| 579 return ','.join(value) | 580 return ','.join(value) |
| 580 | 581 |
| 581 | 582 |
| 1315 used for the usual html URL's. These strings must match the | 1316 used for the usual html URL's. These strings must match the |
| 1316 value of the Origin header exactly. So 'https://bar.edu' and | 1317 value of the Origin header exactly. So 'https://bar.edu' and |
| 1317 'https://Bar.edu' are two different Origin values. Note that | 1318 'https://Bar.edu' are two different Origin values. Note that |
| 1318 the origin value is scheme://host. There is no path | 1319 the origin value is scheme://host. There is no path |
| 1319 component. So 'https://bar.edu/' would never be valid. | 1320 component. So 'https://bar.edu/' would never be valid. |
| 1320 Also the value * can be used to match any origin. Note that | 1321 The value '*' can be used to match any origin. It must be |
| 1321 this value allows any web page on the internet to make | 1322 first in the list if used. Note that this value allows |
| 1322 authenticated requests against your Roundup tracker and | 1323 any web page on the internet to make anonymous requests |
| 1323 is not a good idea. | 1324 against your Roundup tracker. |
| 1324 | 1325 |
| 1325 You need to set these if you have a web application on a | 1326 You need to set these if you have a web application on a |
| 1326 different origin accessing your roundup instance. | 1327 different origin accessing your Roundup instance. |
| 1327 | 1328 |
| 1328 (The origin from the tracker.web setting in config.ini is | 1329 (The origin from the tracker.web setting in config.ini is |
| 1329 always valid and does not need to be specified.)"""), | 1330 always valid and does not need to be specified.)"""), |
| 1330 (CsrfSettingOption, 'csrf_enforce_header_x-forwarded-host', "yes", | 1331 (CsrfSettingOption, 'csrf_enforce_header_x-forwarded-host', "yes", |
| 1331 """Verify that the X-Forwarded-Host http header matches | 1332 """Verify that the X-Forwarded-Host http header matches |