363fd5d Check the HTTP Referer header on all requests

1 file Authored by rcritten a year ago, Committed by antorres a year ago,
    Check the HTTP Referer header on all requests
    
    The referer was only checked in WSGIExecutioner classes:
    
     - jsonserver
     - KerberosWSGIExecutioner
     - xmlserver
     - jsonserver_kerb
    
    This left /i18n_messages, /session/login_kerberos,
    /session/login_x509, /session/login_password,
    /session/change_password and /session/sync_token unprotected
    against CSRF attacks.
    
    CVE-2023-5455
    
    Signed-off-by: Rob Crittenden <rcritten@redhat.com>
    (cherry picked from commit 63f76159b0fe5ab779206a28e07a49500fc1fdbe)
    
        
file modified
+31 -3