From 2b9692621b0ee27def37c597621ea6a20c757ca8 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Tue, 21 Nov 2023 09:37:25 +0100 Subject: [PATCH] Check the HTTP Referer header on all requests The referer was only checked in WSGIExecutioner classes: - jsonserver - KerberosWSGIExecutioner - xmlserver - jsonserver_kerb This left /i18n_messages, /session/login_kerberos, /session/login_x509, /session/login_password, /session/change_password and /session/sync_token unprotected against CSRF attacks. CVE-2023-5455 Signed-off-by: Rob Crittenden --- ipaserver/rpcserver.py | 34 +++++++++++++++++++++++++++++++--- 1 file changed, 31 insertions(+), 3 deletions(-) diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index 3c831a55888ba723fc52c988593c364fb7883b7b..91bec2133479a9b4bd1311e6be800d982cf855f3 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -136,6 +136,19 @@ _success_template = """ """ class HTTP_Status(plugable.Plugin): + def check_referer(self, environ): + if "HTTP_REFERER" not in environ: + logger.error("Rejecting request with missing Referer") + return False + if (not environ["HTTP_REFERER"].startswith( + "https://%s/ipa" % self.api.env.host) + and not self.env.in_tree): + logger.error("Rejecting request with bad Referer %s", + environ["HTTP_REFERER"]) + return False + logger.debug("Valid Referer %s", environ["HTTP_REFERER"]) + return True + def not_found(self, environ, start_response, url, message): """ Return a 404 Not Found error. @@ -297,9 +310,6 @@ class wsgi_dispatch(Executioner, HTTP_Status): self.__apps[key] = app - - - class WSGIExecutioner(Executioner): """ Base class for execution backends with a WSGI application interface. @@ -803,6 +813,9 @@ class jsonserver_session(jsonserver, KerberosSession): logger.debug('WSGI jsonserver_session.__call__:') + if not self.check_referer(environ): + return self.bad_request(environ, start_response, 'denied') + # Redirect to login if no Kerberos credentials ccache_name = self.get_environ_creds(environ) if ccache_name is None: @@ -843,6 +856,9 @@ class KerberosLogin(Backend, KerberosSession): def __call__(self, environ, start_response): logger.debug('WSGI KerberosLogin.__call__:') + if not self.check_referer(environ): + return self.bad_request(environ, start_response, 'denied') + # Redirect to login if no Kerberos credentials user_ccache_name = self.get_environ_creds(environ) if user_ccache_name is None: @@ -861,6 +877,9 @@ class login_x509(KerberosLogin): def __call__(self, environ, start_response): logger.debug('WSGI login_x509.__call__:') + if not self.check_referer(environ): + return self.bad_request(environ, start_response, 'denied') + if 'KRB5CCNAME' not in environ: return self.unauthorized( environ, start_response, 'KRB5CCNAME not set', @@ -881,6 +900,9 @@ class login_password(Backend, KerberosSession): def __call__(self, environ, start_response): logger.debug('WSGI login_password.__call__:') + if not self.check_referer(environ): + return self.bad_request(environ, start_response, 'denied') + # Get the user and password parameters from the request content_type = environ.get('CONTENT_TYPE', '').lower() if not content_type.startswith('application/x-www-form-urlencoded'): @@ -1018,6 +1040,9 @@ class change_password(Backend, HTTP_Status): def __call__(self, environ, start_response): logger.info('WSGI change_password.__call__:') + if not self.check_referer(environ): + return self.bad_request(environ, start_response, 'denied') + # Get the user and password parameters from the request content_type = environ.get('CONTENT_TYPE', '').lower() if not content_type.startswith('application/x-www-form-urlencoded'): @@ -1231,6 +1256,9 @@ class xmlserver_session(xmlserver, KerberosSession): logger.debug('WSGI xmlserver_session.__call__:') + if not self.check_referer(environ): + return self.bad_request(environ, start_response, 'denied') + ccache_name = environ.get('KRB5CCNAME') # Redirect to /ipa/xml if no Kerberos credentials -- 2.26.3