Skip to content

Commit

Permalink
Mitigate CSRF on repository settings #217
Browse files Browse the repository at this point in the history
  • Loading branch information
ikus060 committed Sep 20, 2022
1 parent 18a5aab commit 20fc0d3
Show file tree
Hide file tree
Showing 5 changed files with 37 additions and 6 deletions.
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,7 @@ This releases include a security fix. If you are using an earlier version, you s

* Support MarkupSafe<3 for Debian bookworm
* Mitigate CSRF on user's notification settings #216 [CVE-2022-3233](https://nvd.nist.gov/vuln/detail/CVE-2022-3233)
* Mitigate CSRF on repository settings #217

## 2.4.5 (2002-09-16)

Expand Down
13 changes: 7 additions & 6 deletions rdiffweb/controller/page_settings.py
Original file line number Diff line number Diff line change
Expand Up @@ -36,12 +36,13 @@ class SettingsPage(Controller):
)
def default(self, path=b"", action=None, **kwargs):
repo_obj = self.app.store.get_repo(path)
if kwargs.get('keepdays'):
return self._remove_older(repo_obj, **kwargs)
elif kwargs.get('new_encoding'):
return self._set_encoding(repo_obj, **kwargs)
elif kwargs.get('maxage'):
return self._set_maxage(repo_obj, **kwargs)
if cherrypy.request.method == 'POST':
if kwargs.get('keepdays'):
return self._remove_older(repo_obj, **kwargs)
elif kwargs.get('new_encoding'):
return self._set_encoding(repo_obj, **kwargs)
elif kwargs.get('maxage'):
return self._set_maxage(repo_obj, **kwargs)
# Get page data.
params = {
'repo': repo_obj,
Expand Down
9 changes: 9 additions & 0 deletions rdiffweb/controller/tests/test_page_settings.py
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,15 @@ def test_set_maxage(self):
repo_obj = self.app.store.get_user('admin').get_repo(self.REPO)
self.assertEqual(4, repo_obj.maxage)

def test_set_maxage_method_get(self):
# When trying to update maxage with GET method
self.getPage("/settings/" + self.USERNAME + "/" + self.REPO + "/?maxage=4")
# Then page return without error
self.assertStatus(200)
# Then database is not updated
repo_obj = self.app.store.get_user('admin').get_repo(self.REPO)
self.assertEqual(0, repo_obj.maxage)

def test_does_not_exists(self):
# Given an invalid repo
repo = 'invalid'
Expand Down
10 changes: 10 additions & 0 deletions rdiffweb/controller/tests/test_page_settings_remove_older.py
Original file line number Diff line number Diff line change
Expand Up @@ -77,3 +77,13 @@ def test_as_another_user(self):
# Browse admin's repos
self._remove_older('anotheruser', 'testcases', '2')
self.assertStatus('403 Forbidden')

def test_set_keepdays_method_get(self):
# When trying update keepdays with method GET
self.getPage("/settings/" + self.USERNAME + "/" + self.REPO + "/?keepdays=4")
# Then pge return without error
self.assertStatus(200)
# Then database is not updated
user = self.app.store.get_user(self.USERNAME)
repo = user.get_repo(self.REPO)
self.assertEqual(-1, repo.keepdays)
10 changes: 10 additions & 0 deletions rdiffweb/controller/tests/test_page_settings_set_encoding.py
Original file line number Diff line number Diff line change
Expand Up @@ -113,3 +113,13 @@ def test_as_another_user(self):
# Browse admin's repos
self._set_encoding('anotheruser', 'testcases', 'utf-8')
self.assertStatus('403 Forbidden')

def test_set_encoding_method_get(self):
# When trying to update encoding with method GET
self.getPage("/settings/admin/testcases/?new_encoding=cp1252")
# Then page return without error
self.assertStatus(200)
# Then database is not updated
user = self.app.store.get_user(self.USERNAME)
repo = user.get_repo(self.REPO)
self.assertEqual('utf-8', repo.encoding)

0 comments on commit 20fc0d3

Please sign in to comment.