Mercurial > p > roundup > code
comparison roundup/configuration.py @ 8575:b1024bf0d9f7
feature: add nonceless/tokenless CSRF protection
Add tokenless CSRF protection following:
https://words.filippo.io/csrf/
Must be enabled using use_tokenless_csrf_protection in config.ini. By
default it's off. If enabled the older csrf_* settings are ignored.
The allowed_api_origins setting is still used for Origin comparisons.
This should also improve performance as a nonce isn't required so
generating random nonce and saving it to the otks database is
eliminated.
doc/admin_guide.txt, doc/reference.txt doc/upgrading.txt
doc updates.
roundup/configuration.py
add use_tokenless_csrf_protection setting.
move allowed_api_origins directly after
use_tokenless_csrf_protection and before the older csrf_* settings.
It's used by both of them.
Rewrite description of allowed_api_origins as its applied to all
URLs with tokenless protection, not just API URLs.
roundup/anypy/urllib_.py
import urlsplit, it is used in new code.
urlparse() is less efficient and splits params out of the path
component.
Since Roundup doesn't require that params be split from the path. I
expect future patch will replace urlparse() with urlsplit() globally
and not need urlparse().
roundup/cgi/client.py
add handle_csrf_tokenless() and call from handle_csrf() if
use_tokenless_csrf_protection is enabled.
refactor code that expires csrf tokens when used with the wrong
methods (i.e. GET) into expire_exposed_keys(). Call same from
handle_csrf and handle_csrf_tokenless. Also improve logging if this
happens including both Referer and Origin headers if available.
Arguably we dont care about CSRF tokens exposed via
GET/HEAD/OPTIONS in the tokenless case, but this cleans them up in
case the admin has to switch back. At some future date we can
delete all the nonce based CSRF from 2018.
Update handle_csrf() docstring about calling/returning
handle_csrf_tokenless() when enabled. Call
expire_exposed_keys(method) if token is supplied with wrong method.
roundup/cgi/templating.py
disable nonce generation/save and always return "0" when
use_tokenless_csrf_protection enabled.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sun, 19 Apr 2026 20:50:07 -0400 |
| parents | 520075b29474 |
| children |
comparison
equal
deleted
inserted
replaced
| 8574:89117bb7416d | 8575:b1024bf0d9f7 |
|---|---|
| 1373 "documentation for more info.\n"), | 1373 "documentation for more info.\n"), |
| 1374 (IntegerNumberGtZeroOption, 'api_failed_login_interval_in_sec', "600", | 1374 (IntegerNumberGtZeroOption, 'api_failed_login_interval_in_sec', "600", |
| 1375 "Defines the interval in seconds over which api login failures\n" | 1375 "Defines the interval in seconds over which api login failures\n" |
| 1376 "are recorded. It allows api_failed_login_limit login failures\n" | 1376 "are recorded. It allows api_failed_login_limit login failures\n" |
| 1377 "in this time interval. Tune this as needed.\n"), | 1377 "in this time interval. Tune this as needed.\n"), |
| 1378 (BooleanOption, 'use_tokenless_csrf_protection', 'no', | |
| 1379 "Use a more modern CSRF protection method. If enabled, the\n" | |
| 1380 "other CSRF settings below are disabled and a CSRF token is\n" | |
| 1381 "not needed when creating your forms.\n"), | |
| 1382 (OriginHeadersListOption, 'allowed_api_origins', "", | |
| 1383 """A comma separated list of additonal valid Origin header | |
| 1384 values used when enforcing the origin header. If token style CSRF | |
| 1385 protection is enabled, it is used only for the api URLs (/rest and | |
| 1386 /xmlrpc). It is not used for the standard html URL's. If tokenless | |
| 1387 style csrf protection is enabled, it is used for URLs. | |
| 1388 | |
| 1389 These strings must precisely match the value of the Origin header. For | |
| 1390 example, 'https://bar.edu' and 'https://Bar.edu' are two different | |
| 1391 Origin values. Note origin values consist of scheme://host without any | |
| 1392 path component. Thus 'https://bar.edu/' is not valid. The value '*' | |
| 1393 can be used to match any origin when token style CSRF is enabled. It | |
| 1394 must be placed first in the list if used. Note that the '*' value | |
| 1395 allows any web page on the internet to make anonymous requests against | |
| 1396 your Roundup tracker. | |
| 1397 | |
| 1398 You must configure this if you have a web application on a different | |
| 1399 origin that accesses your Roundup instance. | |
| 1400 | |
| 1401 (The origin from the tracker.web setting in config.ini is | |
| 1402 always valid and does not need to be specified.)"""), | |
| 1378 (CsrfSettingOption, 'csrf_enforce_token', "yes", | 1403 (CsrfSettingOption, 'csrf_enforce_token', "yes", |
| 1379 """How do we deal with @csrf fields in posted forms. | 1404 """How do we deal with @csrf fields in posted forms. |
| 1380 Set this to 'required' to block the post and notify | 1405 Set this to 'required' to block the post and notify |
| 1381 the user if the field is missing or invalid. | 1406 the user if the field is missing or invalid. |
| 1382 Set this to 'yes' to block the post and notify the user | 1407 Set this to 'yes' to block the post and notify the user |
| 1423 the header is missing. | 1448 the header is missing. |
| 1424 Set this to 'logfailure' to log a notice to the roundup | 1449 Set this to 'logfailure' to log a notice to the roundup |
| 1425 log if the header is invalid or missing, but accept | 1450 log if the header is invalid or missing, but accept |
| 1426 the post. | 1451 the post. |
| 1427 Set this to 'no' to ignore the header and accept the post."""), | 1452 Set this to 'no' to ignore the header and accept the post."""), |
| 1428 (OriginHeadersListOption, 'allowed_api_origins', "", | |
| 1429 """A comma separated list of additonal valid Origin header | |
| 1430 values used when enforcing the header origin. They are used | |
| 1431 only for the api URL's (/rest and /xmlrpc). They are not | |
| 1432 used for the usual html URL's. These strings must match the | |
| 1433 value of the Origin header exactly. So 'https://bar.edu' and | |
| 1434 'https://Bar.edu' are two different Origin values. Note that | |
| 1435 the origin value is scheme://host. There is no path | |
| 1436 component. So 'https://bar.edu/' would never be valid. | |
| 1437 The value '*' can be used to match any origin. It must be | |
| 1438 first in the list if used. Note that this value allows | |
| 1439 any web page on the internet to make anonymous requests | |
| 1440 against your Roundup tracker. | |
| 1441 | |
| 1442 You need to set these if you have a web application on a | |
| 1443 different origin accessing your Roundup instance. | |
| 1444 | |
| 1445 (The origin from the tracker.web setting in config.ini is | |
| 1446 always valid and does not need to be specified.)"""), | |
| 1447 (CsrfSettingOption, 'csrf_enforce_header_x-forwarded-host', "yes", | 1453 (CsrfSettingOption, 'csrf_enforce_header_x-forwarded-host', "yes", |
| 1448 """Verify that the X-Forwarded-Host http header matches | 1454 """Verify that the X-Forwarded-Host http header matches |
| 1449 the host part of the tracker.web setting in config.ini. | 1455 the host part of the tracker.web setting in config.ini. |
| 1450 Set this to 'required' to block the post and notify | 1456 Set this to 'required' to block the post and notify |
| 1451 the user if the header is missing or invalid. | 1457 the user if the header is missing or invalid. |