allura-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From brond...@apache.org
Subject allura git commit: [#7906] in login post, pass a _session_id value in both POST and cookies, so it gets past CSRF checks
Date Mon, 29 Jun 2015 18:01:56 GMT
Repository: allura
Updated Branches:
  refs/heads/db/7906 [created] 9e6be3a94


[#7906] in login post, pass a _session_id value in both POST and cookies, so it gets past
CSRF checks


Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/9e6be3a9
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/9e6be3a9
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/9e6be3a9

Branch: refs/heads/db/7906
Commit: 9e6be3a946d122d309c063bd2434fa6fa6b38acf
Parents: fbb8da9
Author: Dave Brondsema <dbrondsema@slashdotmedia.com>
Authored: Mon Jun 29 18:01:36 2015 +0000
Committer: Dave Brondsema <dbrondsema@slashdotmedia.com>
Committed: Mon Jun 29 18:01:36 2015 +0000

----------------------------------------------------------------------
 scripts/ApacheAccessHandler.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/allura/blob/9e6be3a9/scripts/ApacheAccessHandler.py
----------------------------------------------------------------------
diff --git a/scripts/ApacheAccessHandler.py b/scripts/ApacheAccessHandler.py
index 1af3714..1ee9ebc 100644
--- a/scripts/ApacheAccessHandler.py
+++ b/scripts/ApacheAccessHandler.py
@@ -115,7 +115,11 @@ def check_authentication(req):
     r = requests.post(auth_url, allow_redirects=False, data={
         'username': username,
         'password': password,
-        'return_to': '/login_successful'})
+        'return_to': '/login_successful',
+        '_session_id': 'this-is-our-session',
+    }, cookies={
+        '_session_id': 'this-is-our-session',
+    })
     return r.status_code == 302 and r.headers['location'].endswith('/login_successful')
 
 


Mime
View raw message