Mercurial > p > roundup > code
comparison roundup/configuration.py @ 5212:d4cc71beb102
Added support for SameSite cookie option for CSRF prevention
This was an easy addon compared to the complexity of the CSRF nonce
support. It only works in chromium browsers (Chrome, Opera...) at
the moment. But there is recent activity on implementing it in
firefox. Who know when edge/ie will adopt it. So csrf nonce and
header analysis will be needed for a while.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sun, 19 Mar 2017 19:01:41 -0400 |
| parents | a9ace22e0a2f |
| children | 4c48180555fb |
comparison
equal
deleted
inserted
replaced
| 5211:f4b6a2a3e605 | 5212:d4cc71beb102 |
|---|---|
| 304 if _val in ("required", "yes", "logfailure", "no"): | 304 if _val in ("required", "yes", "logfailure", "no"): |
| 305 return _val | 305 return _val |
| 306 else: | 306 else: |
| 307 raise OptionValueError(self, value, self.class_description) | 307 raise OptionValueError(self, value, self.class_description) |
| 308 | 308 |
| 309 class SameSiteSettingOption(Option): | |
| 310 | |
| 311 """How should the SameSite cookie setting be set: strict, lax | |
| 312 or should it not be added (none)""" | |
| 313 | |
| 314 class_description = "Allowed values: Strict, Lax, None" | |
| 315 | |
| 316 def str2value(self, value): | |
| 317 _val = value.lower() | |
| 318 if _val in ("strict", "lax", "none"): | |
| 319 return _val.capitalize() | |
| 320 else: | |
| 321 raise OptionValueError(self, value, self.class_description) | |
| 322 | |
| 309 class EmailBodyOption(Option): | 323 class EmailBodyOption(Option): |
| 310 | 324 |
| 311 """When to replace message body or strip quoting: always, never or for new items only""" | 325 """When to replace message body or strip quoting: always, never or for new items only""" |
| 312 | 326 |
| 313 class_description = "Allowed values: yes, no, new" | 327 class_description = "Allowed values: yes, no, new" |
| 644 "Whether to use HTTP Basic Authentication, if present.\n" | 658 "Whether to use HTTP Basic Authentication, if present.\n" |
| 645 "Roundup will use either the REMOTE_USER or HTTP_AUTHORIZATION\n" | 659 "Roundup will use either the REMOTE_USER or HTTP_AUTHORIZATION\n" |
| 646 "variables supplied by your web server (in that order).\n" | 660 "variables supplied by your web server (in that order).\n" |
| 647 "Set this option to 'no' if you do not wish to use HTTP Basic\n" | 661 "Set this option to 'no' if you do not wish to use HTTP Basic\n" |
| 648 "Authentication in your web interface."), | 662 "Authentication in your web interface."), |
| 663 (SameSiteSettingOption, 'samesite_cookie_setting', "Lax", | |
| 664 """Set the mode of the SameSite cookie option for | |
| 665 the session cookie. Choices are 'Lax' or | |
| 666 'Strict'. 'None' can be used to suppress the | |
| 667 option. Strict mode provides additional security | |
| 668 against CSRF attacks, but may confuse users who | |
| 669 are logged into roundup and open a roundup link | |
| 670 from a source other than roundup (e.g. link in | |
| 671 email)."""), | |
| 649 (CsrfSettingOption, 'csrf_enforce_token', "yes", | 672 (CsrfSettingOption, 'csrf_enforce_token', "yes", |
| 650 """How do we deal with @csrf fields in posted forms. | 673 """How do we deal with @csrf fields in posted forms. |
| 651 Set this to 'required' to block the post and notify | 674 Set this to 'required' to block the post and notify |
| 652 the user if the field is missing or invalid. | 675 the user if the field is missing or invalid. |
| 653 Set this to 'yes' to block the post and notify the user | 676 Set this to 'yes' to block the post and notify the user |