cc3a1db Check the HTTP Referer header on all requests

1 file Authored by frenaud 5 months ago, Committed by antorres 5 months ago,
    Check the HTTP Referer header on all requests
    
    The referer was only checked in WSGIExecutioner classes:
    
     - jsonserver
     - KerberosWSGIExecutioner
     - xmlserver
     - jsonserver_kerb
    
    This left /i18n_messages, /session/login_kerberos,
    /session/login_x509, /session/login_password,
    /session/change_password and /session/sync_token unprotected
    against CSRF attacks.
    
    CVE-2023-5455
    
    Signed-off-by: Rob Crittenden <rcritten@redhat.com>
    (cherry picked from commit 2e0d7d94a4bce0c5abc4b6d08a48a9451deb1c11)
    
        
file modified
+31 -3