[Jifty-commit] r4922 - in jifty/trunk: .
t/Continuations/lib/Continuations t/TestApp-Plugin-PasswordAuth/t
t/TestApp-Plugin-REST/lib/TestApp/Plugin/REST t/TestApp/t
jifty-commit at lists.jifty.org
jifty-commit at lists.jifty.org
Thu Jan 24 08:13:54 EST 2008
Author: sartak
Date: Thu Jan 24 08:13:53 2008
New Revision: 4922
Modified:
jifty/trunk/ (props changed)
jifty/trunk/lib/Jifty/API.pm
jifty/trunk/lib/Jifty/Dispatcher.pm
jifty/trunk/t/Continuations/lib/Continuations/Dispatcher.pm
jifty/trunk/t/TestApp-Plugin-PasswordAuth/t/01-tokengen.t
jifty/trunk/t/TestApp-Plugin-REST/lib/TestApp/Plugin/REST/Dispatcher.pm
jifty/trunk/t/TestApp/t/05-editactions-Cachable.t
jifty/trunk/t/TestApp/t/05-editactions-Record.t
Log:
r50714 at onn: sartak | 2008-01-24 08:13:32 -0500
Security fix: Deny all actions (except Autocomplete and Redirect) on GET. You must whitelist actions known to be safe, such as with:
before '*' => run { Jifty->api->allow('CustomSearch') };
Modified: jifty/trunk/lib/Jifty/API.pm
==============================================================================
--- jifty/trunk/lib/Jifty/API.pm (original)
+++ jifty/trunk/lib/Jifty/API.pm Thu Jan 24 08:13:53 2008
@@ -138,6 +138,24 @@
);
}
+=head2 deny_for_get
+
+Denies all actions except L<Jifty::Action::Autocomplete> and
+L<Jifty::Action::Redirect>. This is to protect against a common cross-site
+scripting hole. In your C<before> dispatcher rules, you can whitelist actions
+that are known to be read-only.
+
+This is called automatically during any C<GET> request.
+
+=cut
+
+sub deny_for_get {
+ my $self = shift;
+ $self->deny(qr/.*/);
+ $self->allow("Jifty::Action::Autocomplete");
+ $self->allow("Jifty::Action::Redirect");
+}
+
=head2 allow RESTRICTIONS
Takes a list of strings or regular expressions, and adds them in order
Modified: jifty/trunk/lib/Jifty/Dispatcher.pm
==============================================================================
--- jifty/trunk/lib/Jifty/Dispatcher.pm (original)
+++ jifty/trunk/lib/Jifty/Dispatcher.pm Thu Jan 24 08:13:53 2008
@@ -838,6 +838,9 @@
$self->log->debug("Dispatching request to ".$self->{path});
+ # Disable most actions on GET requests
+ Jifty->api->deny_for_get() if $self->_match_method('GET');
+
# Setup -- we we don't abort out of setup, then run the
# actions and then the RUN stage.
if ($self->_handle_stage('SETUP')) {
Modified: jifty/trunk/t/Continuations/lib/Continuations/Dispatcher.pm
==============================================================================
--- jifty/trunk/t/Continuations/lib/Continuations/Dispatcher.pm (original)
+++ jifty/trunk/t/Continuations/lib/Continuations/Dispatcher.pm Thu Jan 24 08:13:53 2008
@@ -1,6 +1,12 @@
package Continuations::Dispatcher;
use Jifty::Dispatcher -base;
+# whitelist these read-only actions
+before '*' => run {
+ Jifty->api->allow('GetGrail');
+ Jifty->api->allow('CrossBridge');
+};
+
my $before = 0;
before '/tutorial' => run {
unless (Jifty->web->session->get('got_help')) {
Modified: jifty/trunk/t/TestApp-Plugin-PasswordAuth/t/01-tokengen.t
==============================================================================
--- jifty/trunk/t/TestApp-Plugin-PasswordAuth/t/01-tokengen.t (original)
+++ jifty/trunk/t/TestApp-Plugin-PasswordAuth/t/01-tokengen.t Thu Jan 24 08:13:53 2008
@@ -13,7 +13,7 @@
use lib 't/lib';
use Jifty::SubTest;
-use Jifty::Test tests => 6;
+use Jifty::Test tests => 5;
use Jifty::Test::WWW::Mechanize;
my $server = Jifty::Test->make_server;
@@ -26,8 +26,7 @@
# {{{ Get token for logging in with a JS-based md5-hashed password
my $service='/__jifty/webservices/yaml';
-my $service_request ="$URL$service?J:A-moniker=GeneratePasswordToken&J:A:F-email-moniker=gooduser\@example.com";
-$mech->get_ok($service_request, "Token-generating webservice $service_request exists");
+$mech->post("$URL/$service", {"J:A-moniker" => "GeneratePasswordToken", "J:A:F-email-moniker" => 'gooduser at example.com'});
# XXX needs to be more precise in checking for the token, but this works
# as long as we're using time() for the token
Modified: jifty/trunk/t/TestApp-Plugin-REST/lib/TestApp/Plugin/REST/Dispatcher.pm
==============================================================================
--- jifty/trunk/t/TestApp-Plugin-REST/lib/TestApp/Plugin/REST/Dispatcher.pm (original)
+++ jifty/trunk/t/TestApp-Plugin-REST/lib/TestApp/Plugin/REST/Dispatcher.pm Thu Jan 24 08:13:53 2008
@@ -1,4 +1,8 @@
package TestApp::Plugin::REST::Dispatcher;
use Jifty::Dispatcher -base;
+before '*' => run {
+ Jifty->api->allow('DoSomething');
+};
+
1;
Modified: jifty/trunk/t/TestApp/t/05-editactions-Cachable.t
==============================================================================
--- jifty/trunk/t/TestApp/t/05-editactions-Cachable.t (original)
+++ jifty/trunk/t/TestApp/t/05-editactions-Cachable.t Thu Jan 24 08:13:53 2008
@@ -7,7 +7,7 @@
use Jifty::SubTest;
BEGIN { $ENV{'JIFTY_CONFIG'} = 't/config-Cachable' }
-use Jifty::Test tests => 8;
+use Jifty::Test tests => 7;
use Jifty::Test::WWW::Mechanize;
# Make sure we can load the model
@@ -31,7 +31,14 @@
my $mech = Jifty::Test::WWW::Mechanize->new();
# Test action to update
-$mech->get_ok($URL.'/editform?J:A-updateuser=TestApp::Action::UpdateUser&J:A:F:F-id-updateuser=1&J:A:F-name-updateuser=edituser&J:A:F-email-updateuser=newemail at example.com', "Form submitted");
+$mech->post($URL.'/editform', {
+ 'J:A-updateuser' => 'TestApp::Action::UpdateUser',
+ 'J:A:F:F-id-updateuser' => 1,
+ 'J:A:F-name-updateuser' => 'edituser',
+ 'J:A:F-email-updateuser' => 'newemail at example.com',
+ 'J:A:F-tasty-updateuser' => '0'
+}, "Form submitted");
+
undef $o;
$o = TestApp::Model::User->new(current_user => $system_user);
$o->flush_cache;
Modified: jifty/trunk/t/TestApp/t/05-editactions-Record.t
==============================================================================
--- jifty/trunk/t/TestApp/t/05-editactions-Record.t (original)
+++ jifty/trunk/t/TestApp/t/05-editactions-Record.t Thu Jan 24 08:13:53 2008
@@ -7,7 +7,7 @@
use Jifty::SubTest;
BEGIN { $ENV{'JIFTY_CONFIG'} = 't/config-Record' }
-use Jifty::Test tests => 11;
+use Jifty::Test tests => 10;
use Jifty::Test::WWW::Mechanize;
# Make sure we can load the model
use_ok('TestApp::Model::User');
@@ -32,7 +32,14 @@
my $mech = Jifty::Test::WWW::Mechanize->new();
# Test action to update
-$mech->get_ok($URL.'/editform?J:A-updateuser=TestApp::Action::UpdateUser&J:A:F:F-id-updateuser=1&J:A:F-name-updateuser=edituser&J:A:F-email-updateuser=newemail at example.com&J:A:F-tasty-updateuser=0', "Form submitted");
+$mech->post($URL.'/editform', {
+ 'J:A-updateuser' => 'TestApp::Action::UpdateUser',
+ 'J:A:F:F-id-updateuser' => 1,
+ 'J:A:F-name-updateuser' => 'edituser',
+ 'J:A:F-email-updateuser' => 'newemail at example.com',
+ 'J:A:F-tasty-updateuser' => '0'
+}, "Form submitted");
+
undef $o;
$o = TestApp::Model::User->new(current_user => $system_user);
$o->load($id);
More information about the Jifty-commit
mailing list