Commit - freeipa - 08e6fb3a2c1d28dc7efcd3395aaf4b705fec4305

freeipa

`08e6fb3` Check the HTTP Referer header on all requests

1 file Authored by rcritten 4 months ago, Committed by antorres 4 months ago,

raw patch tree parent

1 file changed. 31 lines added. 3 lines removed.

    Check the HTTP Referer header on all requests
    
    The referer was only checked in WSGIExecutioner classes:
    
     - jsonserver
     - KerberosWSGIExecutioner
     - xmlserver
     - jsonserver_kerb
    
    This left /i18n_messages, /session/login_kerberos,
    /session/login_x509, /session/login_password,
    /session/change_password and /session/sync_token unprotected
    against CSRF attacks.
    
    CVE-2023-5455
    
    Signed-off-by: Rob Crittenden <rcritten@redhat.com>
    (cherry picked from commit 2c52a7dfd26ac561786e72e4304acbf9585698b6)

ipaserver/rpcserver.py

file modified

+31 -3

freeipa

Source Code

08e6fb3 Check the HTTP Referer header on all requests

1 file Authored by rcritten 4 months ago, Committed by antorres 4 months ago,

`08e6fb3` Check the HTTP Referer header on all requests