From 58eccae357182103ef15844b74c96aaa4bae7d93 Mon Sep 17 00:00:00 2001 From: Joshua Oreman Date: Sat, 7 May 2011 22:18:48 -0400 Subject: [PATCH] Require invirt-web POSTs to have proper referers --- code/view.py | 2 ++ debian/changelog | 7 +++++++ 2 files changed, 9 insertions(+) diff --git a/code/view.py b/code/view.py index 5f32874..51f19a5 100644 --- a/code/view.py +++ b/code/view.py @@ -123,6 +123,8 @@ def require_POST(): if cherrypy.request.method != "POST": raise cherrypy.HTTPError(405, "You must submit this request with POST") + if not cherrypy.request.headers.get('Referer', '').startswith('https://' + config.web.hostname): + raise cherrypy.HTTPError(403, "This form is only usable when submitted from another page on this site. If you receive this message in error, check your browser's Referer settings.") cherrypy.tools.require_POST = cherrypy.Tool('on_start_resource', require_POST, priority=150) diff --git a/debian/changelog b/debian/changelog index 20e3437..1d8e0f3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +invirt-web (0.1.18) unstable; urgency=low + + * Require a valid Referer header for any POSTed form, as a guard against + cross-site request forgery. + + -- Joshua Oreman Sat, 07 May 2011 22:34:46 -0400 + invirt-web (0.1.17) unstable; urgency=low * Add support for amd64 and i386 squeeze autoinstalls. -- 1.7.9.5