Mitigate CSRF on notification #216

ikus060 · ikus060 · commit 18a5aabd48fa · 2022-09-20T10:54:54.000-04:00
diff --git a/README.md b/README.md
@@ -112,6 +112,7 @@ Professional support for Rdiffweb is available by contacting [IKUS Soft](https:/
 This releases include a security fix. If you are using an earlier version, you should upgrade to this release immediately.
 
 * Support MarkupSafe<3 for Debian bookworm
+* Mitigate CSRF on user's notification settings #216 [CVE-2022-3233](https://nvd.nist.gov/vuln/detail/CVE-2022-3233)
 
 ## 2.4.5 (2002-09-16)
 
diff --git a/rdiffweb/controller/pref_notification.py b/rdiffweb/controller/pref_notification.py
@@ -21,6 +21,8 @@
 
 import logging
 
+import cherrypy
+
 from rdiffweb.controller import Controller, validate_int
 from rdiffweb.tools.i18n import ugettext as _
 
@@ -45,7 +47,7 @@ def _handle_set_notification_info(self, **kwargs):
 
     def render_prefs_panel(self, panelid, action=None, **kwargs):  # @UnusedVariable
         # Process the parameters.
-        if action == "set_notification_info":
+        if cherrypy.request.method == 'POST' and action == "set_notification_info":
             self._handle_set_notification_info(**kwargs)
 
         params = {
diff --git a/rdiffweb/controller/tests/test_page_prefs.py b/rdiffweb/controller/tests/test_page_prefs.py
@@ -139,6 +139,18 @@ def test_update_notification(self):
         repo_obj = self.app.store.get_user(self.USERNAME).get_repo(self.REPO)
         self.assertEqual(7, repo_obj.maxage)
 
+    def test_update_notification_method_get(self):
+        # Given a user with repositories
+        # When trying to update notification with GET method
+        self.getPage("/prefs/notification?action=set_notification_info&testcases=7")
+        # Then page return with success
+        self.assertStatus(200)
+        # Then page doesn't update values
+        self.assertNotInBody('Notification settings updated successfully.')
+        # Then database is not updated
+        repo_obj = self.app.store.get_user(self.USERNAME).get_repo(self.REPO)
+        self.assertEqual(0, repo_obj.maxage)
+
     def test_get_page(self):
         self.getPage("/prefs/", method='GET')
         self.assertInBody("SSH")
