freeipa

Clone
Source Code
GIT

c86dcf4 Integration tests for verifying Referer header in the UI

5 files Authored by frenaud 4 months ago, Committed by antorres 4 months ago,
raw patch tree parent
5 files changed. 234 lines added. 5 lines removed.
ipatests/test_ipaserver/httptest.py
file modified
+5 -2
ipatests/test_ipaserver/test_changepw.py
file modified
+11 -1
ipatests/test_ipaserver/test_login_password.py
file added
+88
ipatests/test_ipaserver/test_referer.py
file added
+128
ipatests/util.py
file modified
+2 -2 
    Integration tests for verifying Referer header in the UI
    
    Validate that the change_password and login_password endpoints
    verify the HTTP Referer header. There is some overlap in the
    tests: belt and suspenders.
    
    All endpoints except session/login_x509 are covered, sometimes
    having to rely on expected bad results (see the i18n endpoint).
    
    session/login_x509 is not tested yet as it requires significant
    additional setup in order to associate a user certificate with
    a user entry, etc.
    
    This can be manually verified by modifying /etc/httpd/conf.d/ipa.conf
    and adding:
    
    Satisfy Any
    Require all granted
    
    Then comment out Auth and SSLVerify, etc. and restart httpd.
    
    With a valid Referer will fail with a 401 and log that there is no
    KRB5CCNAME. This comes after the referer check.
    
    With an invalid Referer it will fail with a 400 Bad Request as
    expected.
    
    CVE-2023-5455
    
    Signed-off-by: Rob Crittenden <rcritten@redhat.com>
    (cherry picked from commit ebe876e1b3da319ceba24a82396c576a600566a0)
file modified
+5 -2
file modified
+11 -1
file added
+88
file added
+128
file modified
+2 -2
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.