[Jifty-commit] r4922 - in jifty/trunk: . t/Continuations/lib/Continuations t/TestApp-Plugin-PasswordAuth/t t/TestApp-Plugin-REST/lib/TestApp/Plugin/REST t/TestApp/t

jifty-commit at lists.jifty.org jifty-commit at lists.jifty.org
Thu Jan 24 08:13:54 EST 2008 

Author: sartak
Date: Thu Jan 24 08:13:53 2008
New Revision: 4922

Modified:
   jifty/trunk/   (props changed)
   jifty/trunk/lib/Jifty/API.pm
   jifty/trunk/lib/Jifty/Dispatcher.pm
   jifty/trunk/t/Continuations/lib/Continuations/Dispatcher.pm
   jifty/trunk/t/TestApp-Plugin-PasswordAuth/t/01-tokengen.t
   jifty/trunk/t/TestApp-Plugin-REST/lib/TestApp/Plugin/REST/Dispatcher.pm
   jifty/trunk/t/TestApp/t/05-editactions-Cachable.t
   jifty/trunk/t/TestApp/t/05-editactions-Record.t

Log:
 r50714 at onn:  sartak | 2008-01-24 08:13:32 -0500
 Security fix: Deny all actions (except Autocomplete and Redirect) on GET. You must whitelist actions known to be safe, such as with:
     before '*' => run { Jifty->api->allow('CustomSearch') };


Modified: jifty/trunk/lib/Jifty/API.pm
==============================================================================
--- jifty/trunk/lib/Jifty/API.pm	(original)
+++ jifty/trunk/lib/Jifty/API.pm	Thu Jan 24 08:13:53 2008
@@ -138,6 +138,24 @@
     );
 }
 
+=head2 deny_for_get
+
+Denies all actions except L<Jifty::Action::Autocomplete> and
+L<Jifty::Action::Redirect>. This is to protect against a common cross-site
+scripting hole. In your C<before> dispatcher rules, you can whitelist actions
+that are known to be read-only.
+
+This is called automatically during any C<GET> request.
+
+=cut
+
+sub deny_for_get {
+    my $self = shift;
+    $self->deny(qr/.*/);
+    $self->allow("Jifty::Action::Autocomplete");
+    $self->allow("Jifty::Action::Redirect");
+}
+
 =head2 allow RESTRICTIONS
 
 Takes a list of strings or regular expressions, and adds them in order

Modified: jifty/trunk/lib/Jifty/Dispatcher.pm
==============================================================================
--- jifty/trunk/lib/Jifty/Dispatcher.pm	(original)
+++ jifty/trunk/lib/Jifty/Dispatcher.pm	Thu Jan 24 08:13:53 2008
@@ -838,6 +838,9 @@
 
     $self->log->debug("Dispatching request to ".$self->{path});
 
+    # Disable most actions on GET requests
+    Jifty->api->deny_for_get() if $self->_match_method('GET');
+
     # Setup -- we we don't abort out of setup, then run the
     # actions and then the RUN stage.
     if ($self->_handle_stage('SETUP')) {

Modified: jifty/trunk/t/Continuations/lib/Continuations/Dispatcher.pm
==============================================================================
--- jifty/trunk/t/Continuations/lib/Continuations/Dispatcher.pm	(original)
+++ jifty/trunk/t/Continuations/lib/Continuations/Dispatcher.pm	Thu Jan 24 08:13:53 2008
@@ -1,6 +1,12 @@
 package Continuations::Dispatcher;
 use Jifty::Dispatcher -base;
 
+# whitelist these read-only actions
+before '*' => run {
+    Jifty->api->allow('GetGrail');
+    Jifty->api->allow('CrossBridge');
+};
+
 my $before = 0;
 before '/tutorial' => run {
     unless (Jifty->web->session->get('got_help')) {

Modified: jifty/trunk/t/TestApp-Plugin-PasswordAuth/t/01-tokengen.t
==============================================================================
--- jifty/trunk/t/TestApp-Plugin-PasswordAuth/t/01-tokengen.t	(original)
+++ jifty/trunk/t/TestApp-Plugin-PasswordAuth/t/01-tokengen.t	Thu Jan 24 08:13:53 2008
@@ -13,7 +13,7 @@
 use lib 't/lib';
 use Jifty::SubTest;
 
-use Jifty::Test tests => 6;
+use Jifty::Test tests => 5;
 use Jifty::Test::WWW::Mechanize;
 
 my $server  = Jifty::Test->make_server;
@@ -26,8 +26,7 @@
 
 # {{{ Get token for logging in with a JS-based md5-hashed password
 my $service='/__jifty/webservices/yaml';
-my $service_request ="$URL$service?J:A-moniker=GeneratePasswordToken&J:A:F-email-moniker=gooduser\@example.com"; 
-$mech->get_ok($service_request, "Token-generating webservice $service_request exists");
+$mech->post("$URL/$service", {"J:A-moniker" => "GeneratePasswordToken", "J:A:F-email-moniker" => 'gooduser at example.com'});
 
 # XXX needs to be more precise in checking for the token, but this works
 # as long as we're using time() for the token

Modified: jifty/trunk/t/TestApp-Plugin-REST/lib/TestApp/Plugin/REST/Dispatcher.pm
==============================================================================
--- jifty/trunk/t/TestApp-Plugin-REST/lib/TestApp/Plugin/REST/Dispatcher.pm	(original)
+++ jifty/trunk/t/TestApp-Plugin-REST/lib/TestApp/Plugin/REST/Dispatcher.pm	Thu Jan 24 08:13:53 2008
@@ -1,4 +1,8 @@
 package TestApp::Plugin::REST::Dispatcher;
 use Jifty::Dispatcher -base;
 
+before '*' => run {
+    Jifty->api->allow('DoSomething');
+};
+
 1;

Modified: jifty/trunk/t/TestApp/t/05-editactions-Cachable.t
==============================================================================
--- jifty/trunk/t/TestApp/t/05-editactions-Cachable.t	(original)
+++ jifty/trunk/t/TestApp/t/05-editactions-Cachable.t	Thu Jan 24 08:13:53 2008
@@ -7,7 +7,7 @@
 use Jifty::SubTest;
 BEGIN { $ENV{'JIFTY_CONFIG'} = 't/config-Cachable' }
 
-use Jifty::Test tests => 8;
+use Jifty::Test tests => 7;
 use Jifty::Test::WWW::Mechanize;
 
 # Make sure we can load the model
@@ -31,7 +31,14 @@
 my $mech    = Jifty::Test::WWW::Mechanize->new();
 
 # Test action to update
-$mech->get_ok($URL.'/editform?J:A-updateuser=TestApp::Action::UpdateUser&J:A:F:F-id-updateuser=1&J:A:F-name-updateuser=edituser&J:A:F-email-updateuser=newemail at example.com', "Form submitted");
+$mech->post($URL.'/editform', {
+    'J:A-updateuser' => 'TestApp::Action::UpdateUser',
+    'J:A:F:F-id-updateuser' => 1,
+    'J:A:F-name-updateuser' => 'edituser',
+    'J:A:F-email-updateuser' => 'newemail at example.com',
+    'J:A:F-tasty-updateuser' => '0'
+}, "Form submitted");
+
 undef $o;
 $o = TestApp::Model::User->new(current_user => $system_user);
 $o->flush_cache;

Modified: jifty/trunk/t/TestApp/t/05-editactions-Record.t
==============================================================================
--- jifty/trunk/t/TestApp/t/05-editactions-Record.t	(original)
+++ jifty/trunk/t/TestApp/t/05-editactions-Record.t	Thu Jan 24 08:13:53 2008
@@ -7,7 +7,7 @@
 use Jifty::SubTest;
 BEGIN { $ENV{'JIFTY_CONFIG'} = 't/config-Record' }
 
-use Jifty::Test tests => 11;
+use Jifty::Test tests => 10;
 use Jifty::Test::WWW::Mechanize;
 # Make sure we can load the model
 use_ok('TestApp::Model::User');
@@ -32,7 +32,14 @@
 my $mech    = Jifty::Test::WWW::Mechanize->new();
 
 # Test action to update
-$mech->get_ok($URL.'/editform?J:A-updateuser=TestApp::Action::UpdateUser&J:A:F:F-id-updateuser=1&J:A:F-name-updateuser=edituser&J:A:F-email-updateuser=newemail at example.com&J:A:F-tasty-updateuser=0', "Form submitted");
+$mech->post($URL.'/editform', {
+    'J:A-updateuser' => 'TestApp::Action::UpdateUser',
+    'J:A:F:F-id-updateuser' => 1,
+    'J:A:F-name-updateuser' => 'edituser',
+    'J:A:F-email-updateuser' => 'newemail at example.com',
+    'J:A:F-tasty-updateuser' => '0'
+}, "Form submitted");
+
 undef $o;
 $o = TestApp::Model::User->new(current_user => $system_user);
 $o->load($id);

More information about the Jifty-commit mailing list