When a SP name included spaces the referer checker would fail to match
the url. It would try to return a 403 error, unfortunately this would
also trip as a return instead of an exception was used, ending up with
a 500 error being returned to the user.
Fix url checks by unquoting before comparing.
Fix error reporting by rasing an exception when needed instead of
returning.
Signed-off-by: Simo Sorce <simo@redhat.com>
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from ipsilon.util.user import UserSession
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from ipsilon.util.user import UserSession
+from urllib import unquote
self.user = None
self.form = form
self.user = None
self.form = form
+ def _compare_urls(self, url1, url2):
+ u1 = unquote(url1)
+ u2 = unquote(url2)
+ if u1 == u2:
+ return True
+ return False
+
def __call__(self, *args, **kwargs):
# pylint: disable=star-args
self.user = UserSession().get_user()
def __call__(self, *args, **kwargs):
# pylint: disable=star-args
self.user = UserSession().get_user()
if callable(op):
# Basic CSRF protection
if cherrypy.request.method != 'GET':
if callable(op):
# Basic CSRF protection
if cherrypy.request.method != 'GET':
+ url = cherrypy.url(relative=False)
if 'referer' not in cherrypy.request.headers:
if 'referer' not in cherrypy.request.headers:
- return cherrypy.HTTPError(403)
+ self._debug("Missing referer in %s request to %s"
+ % (cherrypy.request.method, url))
+ raise cherrypy.HTTPError(403)
referer = cherrypy.request.headers['referer']
referer = cherrypy.request.headers['referer']
- url = cherrypy.url(relative=False)
- if referer != url:
- return cherrypy.HTTPError(403)
+ if not self._compare_urls(referer, url):
+ self._debug("Wrong referer %s in request to %s"
+ % (referer, url))
+ raise cherrypy.HTTPError(403)
return op(*args, **kwargs)
else:
op = getattr(self, 'root', None)
return op(*args, **kwargs)
else:
op = getattr(self, 'root', None)
projects / cascardo / ipsilon.git / commitdiff