Mercurial > p > roundup > code
comparison doc/reference.txt @ 8575:b1024bf0d9f7
feature: add nonceless/tokenless CSRF protection
Add tokenless CSRF protection following:
https://words.filippo.io/csrf/
Must be enabled using use_tokenless_csrf_protection in config.ini. By
default it's off. If enabled the older csrf_* settings are ignored.
The allowed_api_origins setting is still used for Origin comparisons.
This should also improve performance as a nonce isn't required so
generating random nonce and saving it to the otks database is
eliminated.
doc/admin_guide.txt, doc/reference.txt doc/upgrading.txt
doc updates.
roundup/configuration.py
add use_tokenless_csrf_protection setting.
move allowed_api_origins directly after
use_tokenless_csrf_protection and before the older csrf_* settings.
It's used by both of them.
Rewrite description of allowed_api_origins as its applied to all
URLs with tokenless protection, not just API URLs.
roundup/anypy/urllib_.py
import urlsplit, it is used in new code.
urlparse() is less efficient and splits params out of the path
component.
Since Roundup doesn't require that params be split from the path. I
expect future patch will replace urlparse() with urlsplit() globally
and not need urlparse().
roundup/cgi/client.py
add handle_csrf_tokenless() and call from handle_csrf() if
use_tokenless_csrf_protection is enabled.
refactor code that expires csrf tokens when used with the wrong
methods (i.e. GET) into expire_exposed_keys(). Call same from
handle_csrf and handle_csrf_tokenless. Also improve logging if this
happens including both Referer and Origin headers if available.
Arguably we dont care about CSRF tokens exposed via
GET/HEAD/OPTIONS in the tokenless case, but this cleans them up in
case the admin has to switch back. At some future date we can
delete all the nonce based CSRF from 2018.
Update handle_csrf() docstring about calling/returning
handle_csrf_tokenless() when enabled. Call
expire_exposed_keys(method) if token is supplied with wrong method.
roundup/cgi/templating.py
disable nonce generation/save and always return "0" when
use_tokenless_csrf_protection enabled.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sun, 19 Apr 2026 20:50:07 -0400 |
| parents | 0e712d67a783 |
| children | 023a83cf3ae8 |
comparison
equal
deleted
inserted
replaced
| 8574:89117bb7416d | 8575:b1024bf0d9f7 |
|---|---|
| 2229 **editCSV** | 2229 **editCSV** |
| 2230 Determine whether the user has permission to edit this class. | 2230 Determine whether the user has permission to edit this class. |
| 2231 **search** | 2231 **search** |
| 2232 Determine whether the user has permission to view this class. | 2232 Determine whether the user has permission to view this class. |
| 2233 | 2233 |
| 2234 .. _`nonceless CSRF`: | |
| 2235 | |
| 2234 Protecting users from web application attacks | 2236 Protecting users from web application attacks |
| 2235 --------------------------------------------- | 2237 --------------------------------------------- |
| 2236 | 2238 |
| 2237 There is a class of attacks known as Cross Site Request Forgeries | 2239 There is a type of attack known as Cross Site Request Forgeries |
| 2238 (CSRF). Malicious code running in the browser can making a | 2240 (CSRF). Malicious code running in the browser can send a request |
| 2239 request to Roundup while you are logged into Roundup. The | 2241 to Roundup while you are logged in. The malicious code takes |
| 2240 malicious code piggy backs on your existing Roundup session to | 2242 advantage of your active Roundup session to make changes without |
| 2241 make changes without your knowledge. Roundup 1.6 has support for | 2243 your knowledge. |
| 2242 defending against this by analyzing the | 2244 |
| 2245 Roundup 2.6 added support for tokenless (nonceless) protection. | |
| 2246 This is based on `Cross-Site Request Forgery by Filippo Valsorda | |
| 2247 <https://words.filippo.io/csrf/>`_. Currently you must manually | |
| 2248 enable it. At some point in the future, it will be the default | |
| 2249 CSRF protection method. | |
| 2250 | |
| 2251 You can enable it for each tracker using ``config.ini``. In the | |
| 2252 ``[web]`` section of ``config.ini`` setting | |
| 2253 ``use_tokenless_csrf_protection`` to ``yes`` enables it. Since | |
| 2254 this is a replacement for the prior anti-CSRF protections, it | |
| 2255 turns off the older nonce and header-based CSRF settings. | |
| 2256 | |
| 2257 The Origin header is checked against the value of the | |
| 2258 ``allowed_api_origins`` option. You can use it to allow access to | |
| 2259 Roundup from other web sites. For example your homepage at | |
| 2260 www.example.com displays the 10 most recently updated issues from | |
| 2261 Roundup running at issues.example.com. To allow this, you would | |
| 2262 set the ``allowed_api_origins`` to ``https://www.example.com``. | |
| 2263 | |
| 2264 If your users have older browsers (pre 2023) you may need to | |
| 2265 continue using the older token/nonce based CSRF protection method. | |
| 2266 See Valsorda's page for details. | |
| 2267 | |
| 2268 With this mode enabled, the ``utils.anti_csrf_nonce()`` function | |
| 2269 always returns `"0". It does not generate a nonce nor store it to | |
| 2270 the otks database which should improve response times. | |
| 2271 | |
| 2272 Token/nonce based CSRF protection | |
| 2273 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
| 2274 | |
| 2275 Roundup 1.6 has support for defending against this by analyzing the | |
| 2243 | 2276 |
| 2244 * Referer, | 2277 * Referer, |
| 2245 * Origin, and | 2278 * Origin, and |
| 2246 * Host or | 2279 * Host or |
| 2247 * X-Forwarded-Host | 2280 * X-Forwarded-Host |