e57a97aa67
- Resolves: RHEL-12589 ipa: Invalid CSRF protection - Resolves: RHEL-19748 ipa hbac-test did not report that it hit an arbitrary search limit - Resolves: RHEL-21059 'DogtagCertsConfigCheck' fails, displaying the error message 'Malformed directive: ca.signing.certnickname=caSigningCert cert-pki-ca' - Resolves: RHEL-21804 ipa client 4.10.2 - Failed to obtain host TGT - Resolves: RHEL-21809 CA less servers are failing to be added in topology segment for domain suffix - Resolves: RHEL-21810 ipa-client-install --automount-location does not work - Resolves: RHEL-21811 Handle change in behavior of pki-server ca-config-show in pki 11.5.0 - Resolves: RHEL-21812 Backport latest test fixes in ipa - Resolves: RHEL-21813 krb5kdc fails to start when pkinit and otp auth type is enabled in ipa - Resolves: RHEL-21815 IPA 389ds plugins need to have better logging and tracing - Resolves: RHEL-21937 Make sure a default NetBIOS name is set if not passed in by ADTrust instance constructor Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
122 lines
4.4 KiB
Diff
122 lines
4.4 KiB
Diff
From 2c52a7dfd26ac561786e72e4304acbf9585698b6 Mon Sep 17 00:00:00 2001
|
|
From: Rob Crittenden <rcritten@redhat.com>
|
|
Date: Fri, 6 Oct 2023 20:16:29 +0000
|
|
Subject: [PATCH] Check the HTTP Referer header on all requests
|
|
|
|
The referer was only checked in WSGIExecutioner classes:
|
|
|
|
- jsonserver
|
|
- KerberosWSGIExecutioner
|
|
- xmlserver
|
|
- jsonserver_kerb
|
|
|
|
This left /i18n_messages, /session/login_kerberos,
|
|
/session/login_x509, /session/login_password,
|
|
/session/change_password and /session/sync_token unprotected
|
|
against CSRF attacks.
|
|
|
|
CVE-2023-5455
|
|
|
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
---
|
|
ipaserver/rpcserver.py | 34 +++++++++++++++++++++++++++++++---
|
|
1 file changed, 31 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
|
|
index b7116469d73f9a8595dbb2d1a3f39abe851f4fc3..198fc9e7dbae281f797dcccf96d21d475ff31e8c 100644
|
|
--- a/ipaserver/rpcserver.py
|
|
+++ b/ipaserver/rpcserver.py
|
|
@@ -156,6 +156,19 @@ _success_template = """<html>
|
|
</html>"""
|
|
|
|
class HTTP_Status(plugable.Plugin):
|
|
+ def check_referer(self, environ):
|
|
+ if "HTTP_REFERER" not in environ:
|
|
+ logger.error("Rejecting request with missing Referer")
|
|
+ return False
|
|
+ if (not environ["HTTP_REFERER"].startswith(
|
|
+ "https://%s/ipa" % self.api.env.host)
|
|
+ and not self.env.in_tree):
|
|
+ logger.error("Rejecting request with bad Referer %s",
|
|
+ environ["HTTP_REFERER"])
|
|
+ return False
|
|
+ logger.debug("Valid Referer %s", environ["HTTP_REFERER"])
|
|
+ return True
|
|
+
|
|
def not_found(self, environ, start_response, url, message):
|
|
"""
|
|
Return a 404 Not Found error.
|
|
@@ -331,9 +344,6 @@ class wsgi_dispatch(Executioner, HTTP_Status):
|
|
self.__apps[key] = app
|
|
|
|
|
|
-
|
|
-
|
|
-
|
|
class WSGIExecutioner(Executioner):
|
|
"""
|
|
Base class for execution backends with a WSGI application interface.
|
|
@@ -898,6 +908,9 @@ class jsonserver_session(jsonserver, KerberosSession):
|
|
|
|
logger.debug('WSGI jsonserver_session.__call__:')
|
|
|
|
+ if not self.check_referer(environ):
|
|
+ return self.bad_request(environ, start_response, 'denied')
|
|
+
|
|
# Redirect to login if no Kerberos credentials
|
|
ccache_name = self.get_environ_creds(environ)
|
|
if ccache_name is None:
|
|
@@ -950,6 +963,9 @@ class KerberosLogin(Backend, KerberosSession):
|
|
def __call__(self, environ, start_response):
|
|
logger.debug('WSGI KerberosLogin.__call__:')
|
|
|
|
+ if not self.check_referer(environ):
|
|
+ return self.bad_request(environ, start_response, 'denied')
|
|
+
|
|
# Redirect to login if no Kerberos credentials
|
|
user_ccache_name = self.get_environ_creds(environ)
|
|
if user_ccache_name is None:
|
|
@@ -968,6 +984,9 @@ class login_x509(KerberosLogin):
|
|
def __call__(self, environ, start_response):
|
|
logger.debug('WSGI login_x509.__call__:')
|
|
|
|
+ if not self.check_referer(environ):
|
|
+ return self.bad_request(environ, start_response, 'denied')
|
|
+
|
|
if 'KRB5CCNAME' not in environ:
|
|
return self.unauthorized(
|
|
environ, start_response, 'KRB5CCNAME not set',
|
|
@@ -1016,6 +1035,9 @@ class login_password(Backend, KerberosSession):
|
|
|
|
logger.debug('WSGI login_password.__call__:')
|
|
|
|
+ if not self.check_referer(environ):
|
|
+ return self.bad_request(environ, start_response, 'denied')
|
|
+
|
|
# Get the user and password parameters from the request
|
|
content_type = environ.get('CONTENT_TYPE', '').lower()
|
|
if not content_type.startswith('application/x-www-form-urlencoded'):
|
|
@@ -1148,6 +1170,9 @@ class change_password(Backend, HTTP_Status):
|
|
def __call__(self, environ, start_response):
|
|
logger.info('WSGI change_password.__call__:')
|
|
|
|
+ if not self.check_referer(environ):
|
|
+ return self.bad_request(environ, start_response, 'denied')
|
|
+
|
|
# Get the user and password parameters from the request
|
|
content_type = environ.get('CONTENT_TYPE', '').lower()
|
|
if not content_type.startswith('application/x-www-form-urlencoded'):
|
|
@@ -1365,6 +1390,9 @@ class xmlserver_session(xmlserver, KerberosSession):
|
|
|
|
logger.debug('WSGI xmlserver_session.__call__:')
|
|
|
|
+ if not self.check_referer(environ):
|
|
+ return self.bad_request(environ, start_response, 'denied')
|
|
+
|
|
ccache_name = environ.get('KRB5CCNAME')
|
|
|
|
# Redirect to /ipa/xml if no Kerberos credentials
|
|
--
|
|
2.43.0
|
|
|