Mercurial > p > roundup > code
diff roundup/cgi/client.py @ 5696:b67636bc87d0
Add CSRF protection to rest code path. Follow same model as for
xmlrpc. The original rest code was developed before the CSRF code was
added to xmlrpc.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sun, 07 Apr 2019 20:27:25 -0400 |
| parents | f60c44563c3a |
| children | 17e110426ad7 |
line wrap: on
line diff
--- a/roundup/cgi/client.py Sun Apr 07 20:17:52 2019 -0400 +++ b/roundup/cgi/client.py Sun Apr 07 20:27:25 2019 -0400 @@ -537,11 +537,35 @@ self.check_anonymous_access() - # Call rest library to handle the request - handler = rest.RestfulInstance(self, self.db) - output = handler.dispatch(self.env['REQUEST_METHOD'], self.path, - self.form) + try: + # Call csrf with xmlrpc checks enabled. + # It will return True if everything is ok, + # raises exception on check failure. + csrf_ok = self.handle_csrf(xmlrpc=True) + except (Unauthorised, UsageError) as msg: + # report exception back to server + exc_type, exc_value, exc_tb = sys.exc_info() + # FIXME should return what the client requests + # via accept header. + output = s2b("%s: %s\n"%(exc_type, exc_value)) + self.response_code = 400 + self.setHeader("Content-Length", str(len(output))) + self.setHeader("Content-Type", "text/plain") + self.write(output) + csrf_ok = False # we had an error, failed check + return + # With the return above the if will never be false, + # Keeping the if so we can remove return to pass + # output though and format output according to accept + # header. + if csrf_ok == True: + # Call rest library to handle the request + handler = rest.RestfulInstance(self, self.db) + output = handler.dispatch(self.env['REQUEST_METHOD'], + self.path, self.form) + + # type header set by rest handler # self.setHeader("Content-Type", "text/xml") self.setHeader("Content-Length", str(len(output))) self.write(output)