Skip to content

Commit

Permalink
Check CSRF properly on the /config admin site.
Browse files Browse the repository at this point in the history
  • Loading branch information
Ryan Hitchman committed Jan 24, 2018
1 parent 3b77d19 commit cc6cfcf
Show file tree
Hide file tree
Showing 3 changed files with 10 additions and 1 deletion.
1 change: 0 additions & 1 deletion gubernator/github/admin.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,6 @@ def check_csrf(self):
# #Checking_The_Referer_Header
origin = self.request.headers.get('origin') + '/'
expected = self.request.host_url + '/'
print expected
if not (origin and origin == expected):
logging.error('csrf check failed for %s, origin: %r', self.request.url, origin)
self.abort(403)
Expand Down
1 change: 1 addition & 0 deletions gubernator/main.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,7 @@ def get(self):
self.render('config.html', {'hostname': hostname})

def post(self):
self.check_csrf()
if users.is_current_user_admin():
oauth_set = False
webhook_set = False
Expand Down
9 changes: 9 additions & 0 deletions gubernator/view_base.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,15 @@ def __init__(self, *args, **kwargs):
# directory listing operations.
urlfetch.set_default_fetch_deadline(60)

def check_csrf(self):
# https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
# #Checking_The_Referer_Header
origin = self.request.headers.get('origin') + '/'
expected = self.request.host_url + '/'
if not (origin and origin == expected):
logging.error('csrf check failed for %s, origin: %r', self.request.url, origin)
self.abort(403)

# This example code is from:
# http://webapp2.readthedocs.io/en/latest/api/webapp2_extras/sessions.html
def dispatch(self):
Expand Down

0 comments on commit cc6cfcf

Please sign in to comment.