Code review request: CSRF prevention
by Luke Macken
Hi everyone,
Last night I did a lot of hacking on Moksha's CSRF middleware along with our
repoze.who CSRF metadata provider. It seems to be working fine, but I would
like a couple more people to review it before we can deem it as safe.
Here is the code::
https://fedorahosted.org/moksha/browser/moksha/middleware/csrf.py
Test cases::
https://fedorahosted.org/moksha/browser/moksha/tests/functional/test_csrf.py
Output of test cases::
CSRFProtectionMiddleware(/)
Clearing identity
CSRFProtectionMiddleware(/moksha_admin/)
Clearing identity
CSRFProtectionMiddleware(/login)
Clearing identity
CSRFMetadataProvider.add_metadata(/login_handler)
session cookie= None
Invalid session cookie, not setting CSRF token!
CSRFMetadataProvider.add_metadata(/post_login)
session cookie= 'cabcb2bf43f60590aafbebbd8ff3430549bfba40manager!'
Identity updated with CSRF token
CSRFProtectionMiddleware(/post_login)
Auth state... rewriting headers
response.location = http://localhost/moksha_admin/?_csrf_token=4290e910c55274607ed54bf6a8df55...
CSRFMetadataProvider.add_metadata(/moksha_admin/)
session cookie= 'cabcb2bf43f60590aafbebbd8ff3430549bfba40manager!'
Identity updated with CSRF token
CSRFProtectionMiddleware(/moksha_admin/)
csrf_token_id in GET
User supplied CSRF token match environ!
CSRFMetadataProvider.add_metadata(/moksha_admin/)
session cookie= 'cabcb2bf43f60590aafbebbd8ff3430549bfba40manager!'
Identity updated with CSRF token
CSRFProtectionMiddleware(/moksha_admin/)
csrf_token_id in POST
User supplied CSRF token match environ!
CSRFMetadataProvider.add_metadata(/moksha_admin/)
session cookie= 'cabcb2bf43f60590aafbebbd8ff3430549bfba40manager!'
Identity updated with CSRF token
CSRFProtectionMiddleware(/moksha_admin/)
Clearing identity
Deleting repoze.who.identity from environ
Deleting repoze.what.credentials from environ
Invalid CSRF token. User supplied (None) doesn't match what's in our environ (4290e910c55274607ed54bf6a8df551387beeabb)
Logging the user out
CSRFProtectionMiddleware(/moksha_admin/)
csrf_token_id in POST
Clearing identity
CSRFProtectionMiddleware(/)
Clearing identity
CSRFProtectionMiddleware(/moksha_admin/)
Clearing identity
CSRFProtectionMiddleware(/login)
Clearing identity
CSRFMetadataProvider.add_metadata(/login_handler)
session cookie= ''
Invalid session cookie, not setting CSRF token!
CSRFMetadataProvider.add_metadata(/post_login)
session cookie= '091657d7699155ff19603ea6a6440e7a49bfba41manager!'
Identity updated with CSRF token
CSRFProtectionMiddleware(/post_login)
Auth state... rewriting headers
response.location = http://localhost/moksha_admin/?_csrf_token=28aca41ba0510496c96b2523e9eece...
CSRFMetadataProvider.add_metadata(/moksha_admin/)
session cookie= '091657d7699155ff19603ea6a6440e7a49bfba41manager!'
Identity updated with CSRF token
CSRFProtectionMiddleware(/moksha_admin/)
csrf_token_id in POST
Clearing identity
Deleting repoze.who.identity from environ
Deleting repoze.what.credentials from environ
Invalid CSRF token. User supplied (4290e910c55274607ed54bf6a8df551387beeabb ) doesn't match what's in our environ (28aca41ba0510496c96b2523e9eece524b4f369e)
Logging the user out
.
----------------------------------------------------------------------
Ran 1 test in 2.140s
OK
15 years, 1 month
can't make meeting tomorrow
by Máirín Duffy
Hi,
Just wanted to let you know that I can't make the meeting tomorrow...
there's a usability test I'm helping out with.
~m
15 years, 2 months
Re: Please fix your bugs in release instead of rawhide!
by Tom Callaway
On 03/11/2009 12:04 PM, Adam Williamson wrote:
> Well, I don't really see it that way. Here's my workflow - I come across
> a link to an Ubuntu bug report (at launchpad.net), so I go and look at
> it, and I see the stuff I like - right at the top I can see that it
> exists in, say, Itchy, Scratchy and Dopey(*), as well as in the upstream
> code (and I can immediately see the status of the upstream report). This
> is the stuff that there's just no good way to do in Bugzilla. Believe
> me, I've thought of about sixteen different ways to try and track the
> same bug across multiple distribution releases in Bugzilla, and there
> isn't any one which handles it as well as Launchpad does.
So, the longer term plan is to enable workflows like this in the "Fedora
Community" application (used to be called "MyFedora") with moksha.
/*
Look at our pretty mockups!
https://fedoraproject.org/wiki/FedoraCommunity/Mockups
*/
It won't happen in the first iteration (coming soon!), but it is
something that I think we want to target for the second milestone. We'll
definitely be looking for feedback on some example workflows that people
would like to be able to use in Fedora.
~spot
15 years, 2 months
Monday AM meeting
by Tom Callaway
Due to snow, I'm going to be calling in to today's meeting. Anyone who
would normally be expected to be in the office can feel free to do the same.
~spot
15 years, 3 months