Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

In addition to CSRF token, verify the origin too #2501

Merged
merged 1 commit into from
Apr 16, 2016
Merged

In addition to CSRF token, verify the origin too #2501

merged 1 commit into from
Apr 16, 2016

Conversation

dstufft
Copy link
Contributor

@dstufft dstufft commented Apr 16, 2016

Add an additional layer of protection against CSRF by verifying the actual origin of the request in addition to the CSRF token. We only do this check on sites hosted behind HTTPS because only HTTPS sites have evidence to show that the Referrer header is not being spuriously removed by random middleware boxes.

Note, to prevent any sort of backwards incompatibilities and since the CSRF predicate has been deprecated, I've only added this to the new view derivation form of CSRF.

I still need to write documentation and tests (working on that now), just thought I'd throw this up here incase people were interested. This is same technique can be seen in Django.

digitalresistor
digitalresistor reviewed Apr 16, 2016
View reviewed changes
pyramid/session.py

Note that this function will do nothing if request.scheme is not https.

..versionadded:: 1.7
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIRC you need one more space after the initial two periods.

@digitalresistor digitalresistor added this to the 1.7 milestone Apr 16, 2016
@dstufft dstufft changed the title [WIP] In addition to CSRF token, verify the origin too In addition to CSRF token, verify the origin too Apr 16, 2016
digitalresistor
digitalresistor reviewed Apr 16, 2016
View reviewed changes
pyramid/session.py
)

from pyramid.exceptions import BadCSRFToken
from pyramid.exceptions import BadCSRFOrigin, BadCSRFToken
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would prefer these on multiple lines, with tuple style importing, listed in alphabetical order.

@dstufft dstufft force-pushed the check-origin-csrf branch 2 times, most recently from a5e56b8 to 6eae953 Compare April 16, 2016 02:37
@dstufft
Copy link
Contributor Author

dstufft commented Apr 16, 2016

Ok, unless code review finds something that needs addressed I think this should be ready to merge!

@digitalresistor
Copy link
Member

digitalresistor commented Apr 16, 2016
edited
Loading

👍

@mmerickel I don't believe that adding this will break anything for anyone, and I've compared it against the Django version and it is similar (and has the same effect).

Would like your sign-off too before merging this :-).

mmerickel
mmerickel reviewed Apr 16, 2016
View reviewed changes
pyramid/session.py
@@ -101,6 +108,77 @@ def signed_deserialize(serialized, secret, hmac=hmac):

return pickle.loads(pickled)


def check_csrf_origin(request):
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would like to see this function more reusable in a similar vein to check_csrf_token. For example a default signature like check_csrf_origin(request, trusted_origins=None, raises=True) where trusted_origins overrides the usage of the setting.

@mmerickel
Copy link
Member

Not very happy about all the whitespace changes here. It made this significantly more tedious to review and github's little ?w=1 doesn't appear to be working. This type of change belongs in a separate PR.

@mmerickel
Copy link
Member

Found a couple issues in comments but otherwise the feature looks good.

@dstufft
In addition to CSRF token, verify the origin too
65dee6e 
Add an additional layer of protection against CSRF by verifying the actual
origin of the request in addition to the CSRF token. We only do this check on
sites hosted behind HTTPS because only HTTPS sites have evidence to show that
the Referrer header is not being spuriously removed by random middleware
boxes.
@dstufft
Copy link
Contributor Author

dstufft commented Apr 16, 2016

Ok. I adjusted this to take into account the feedback and the tests are passing again.

@mmerickel mmerickel merged commit 4a4d4b9 into Pylons:master Apr 16, 2016
@mmerickel
Copy link
Member

Nice, thank you!

mmerickel added a commit that referenced this pull request Apr 16, 2016
@mmerickel
add docs and backward incompatibility notices for #2501
8ceb14f
@dstufft dstufft mentioned this pull request Apr 17, 2016
Merged
@dstufft dstufft deleted the check-origin-csrf branch April 17, 2016 16:16
@di di mentioned this pull request Apr 18, 2016
Closed
@pyup-bot pyup-bot mentioned this pull request Feb 26, 2017
Merged
@pyup-bot pyup-bot mentioned this pull request Apr 30, 2017
Merged
@pyup-bot pyup-bot mentioned this pull request Jun 30, 2017
Merged
@pyup-bot pyup-bot mentioned this pull request Oct 5, 2017
Merged
@pyup-bot pyup-bot mentioned this pull request Dec 12, 2017
Merged
@pyup-bot pyup-bot mentioned this pull request Jun 30, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.7
Development

Successfully merging this pull request may close these issues.
3 participants
@dstufft @digitalresistor @mmerickel