Require invirt-web POSTs to have proper referers oremanj 0.1.18
authorJoshua Oreman <oremanj@rwcr.net>
Sun, 8 May 2011 02:18:48 +0000 (22:18 -0400)
committerJoshua Oreman <oremanj@rwcr.net>
Sun, 8 May 2011 02:37:06 +0000 (22:37 -0400)
code/view.py
debian/changelog

index 5f32874..51f19a5 100644 (file)
@@ -123,6 +123,8 @@ def require_POST():
     if cherrypy.request.method != "POST":
         raise cherrypy.HTTPError(405,
                                  "You must submit this request with POST")
     if cherrypy.request.method != "POST":
         raise cherrypy.HTTPError(405,
                                  "You must submit this request with POST")
+    if not cherrypy.request.headers.get('Referer', '').startswith('https://' + config.web.hostname):
+        raise cherrypy.HTTPError(403, "This form is only usable when submitted from another page on this site. If you receive this message in error, check your browser's Referer settings.")
 
 cherrypy.tools.require_POST = cherrypy.Tool('on_start_resource',
                                             require_POST, priority=150)
 
 cherrypy.tools.require_POST = cherrypy.Tool('on_start_resource',
                                             require_POST, priority=150)
index 20e3437..1d8e0f3 100644 (file)
@@ -1,3 +1,10 @@
+invirt-web (0.1.18) unstable; urgency=low
+
+  * Require a valid Referer header for any POSTed form, as a guard against
+    cross-site request forgery.
+
+ -- Joshua Oreman <oremanj@mit.edu>  Sat, 07 May 2011 22:34:46 -0400
+
 invirt-web (0.1.17) unstable; urgency=low
 
   * Add support for amd64 and i386 squeeze autoinstalls.
 invirt-web (0.1.17) unstable; urgency=low
 
   * Add support for amd64 and i386 squeeze autoinstalls.