From: Simo Sorce Date: Tue, 20 May 2014 19:20:43 +0000 (-0400) Subject: Fix referer checks with escaped URLs X-Git-Tag: v0.2.5~18 X-Git-Url: http://git.cascardo.info/?p=cascardo%2Fipsilon.git;a=commitdiff_plain;h=8d082183f55722777ef2ff4baaa0af9962c3ab2e Fix referer checks with escaped URLs When a SP name included spaces the referer checker would fail to match the url. It would try to return a 403 error, unfortunately this would also trip as a return instead of an exception was used, ending up with a 500 error being returned to the user. Fix url checks by unquoting before comparing. Fix error reporting by rasing an exception when needed instead of returning. Signed-off-by: Simo Sorce --- diff --git a/ipsilon/util/page.py b/ipsilon/util/page.py index 1968009..ae1f116 100755 --- a/ipsilon/util/page.py +++ b/ipsilon/util/page.py @@ -18,6 +18,7 @@ # along with this program. If not, see . from ipsilon.util.user import UserSession +from urllib import unquote import cherrypy @@ -45,6 +46,13 @@ class Page(object): self.user = None self.form = form + def _compare_urls(self, url1, url2): + u1 = unquote(url1) + u2 = unquote(url2) + if u1 == u2: + return True + return False + def __call__(self, *args, **kwargs): # pylint: disable=star-args self.user = UserSession().get_user() @@ -60,12 +68,16 @@ class Page(object): if callable(op): # Basic CSRF protection if cherrypy.request.method != 'GET': + url = cherrypy.url(relative=False) if 'referer' not in cherrypy.request.headers: - return cherrypy.HTTPError(403) + self._debug("Missing referer in %s request to %s" + % (cherrypy.request.method, url)) + raise cherrypy.HTTPError(403) referer = cherrypy.request.headers['referer'] - url = cherrypy.url(relative=False) - if referer != url: - return cherrypy.HTTPError(403) + if not self._compare_urls(referer, url): + self._debug("Wrong referer %s in request to %s" + % (referer, url)) + raise cherrypy.HTTPError(403) return op(*args, **kwargs) else: op = getattr(self, 'root', None)