Mercurial > p > roundup > code
diff roundup/cgi/client.py @ 5946:1b50c2c5619a
Fix crash bug where looking for @csrf in a form failed.
Using HTTP PATCH and a json payload, self.form.list was set to
None. This caused a crash in csrf nonce checking. So the check now
validates that self.form.list is not None before it tries: '@csrf' in
self.form.
Since the check that broke was to make sure that the csrf nonce wasn';t
being used with GET, having self.form.list == None is the same as
@csrf in self.form failing.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Wed, 23 Oct 2019 12:55:59 -0400 |
| parents | db9bd45d50ad |
| children | 54d0080769f9 |
line wrap: on
line diff
--- a/roundup/cgi/client.py Tue Oct 22 23:36:10 2019 -0400 +++ b/roundup/cgi/client.py Wed Oct 23 12:55:59 2019 -0400 @@ -1145,7 +1145,7 @@ state on the server (one nonce per form per page). If you have multiple forms/page this can lead to abandoned csrf tokens that have to time - out and get cleaned up.But you lose per form + out and get cleaned up. But you lose per form tokens which may be an advantage. Also the HMAC is constant for the session, so provides more occasions for it to be exposed. @@ -1157,7 +1157,7 @@ A session token lifetime is settable in config.ini. A future enhancement to the creation routines should allow for the requester - of the token to set the lifetime.t + of the token to set the lifetime. The unique session key and user id is stored with the token. The token is valid if the stored @@ -1187,7 +1187,7 @@ # Assume: never allow changes via GET if self.env['REQUEST_METHOD'] not in ['POST', 'PUT', 'DELETE']: - if "@csrf" in self.form: + if (self.form.list is not None) and ("@csrf" in self.form): # We have a nonce being used with a method it should # not be. If the nonce exists, report to admin so they # can fix the nonce leakage and destroy it. (nonces