08e6fb3 Check the HTTP Referer header on all requests

1 file Authored by rcritten 10 months ago, Committed by antorres 10 months ago,
    Check the HTTP Referer header on all requests
    
    The referer was only checked in WSGIExecutioner classes:
    
     - jsonserver
     - KerberosWSGIExecutioner
     - xmlserver
     - jsonserver_kerb
    
    This left /i18n_messages, /session/login_kerberos,
    /session/login_x509, /session/login_password,
    /session/change_password and /session/sync_token unprotected
    against CSRF attacks.
    
    CVE-2023-5455
    
    Signed-off-by: Rob Crittenden <rcritten@redhat.com>
    (cherry picked from commit 2c52a7dfd26ac561786e72e4304acbf9585698b6)
    
        
file modified
+31 -3