[jifty-devel] Re: [Jifty-commit] r4922 - in jifty/trunk: . t/Continuations/lib/Continuations t/TestApp-Plugin-PasswordAuth/t t/TestApp-Plugin-REST/lib/TestApp/Plugin/REST t/TestApp/t

Jesse Vincent jesse at bestpractical.com
Thu Jan 24 11:21:55 EST 2008 

This needs an entry in the changelog. And probably for a couple months
at least, an "error" level logged explanation when someone tries to
call a denied action explaining about the change and how to fix it.


On Thu, Jan 24, 2008 at 08:13:54AM -0500, jifty-commit at lists.jifty.org wrote:
> Author: sartak
> Date: Thu Jan 24 08:13:53 2008
> New Revision: 4922
> 
> Modified:
>    jifty/trunk/   (props changed)
>    jifty/trunk/lib/Jifty/API.pm
>    jifty/trunk/lib/Jifty/Dispatcher.pm
>    jifty/trunk/t/Continuations/lib/Continuations/Dispatcher.pm
>    jifty/trunk/t/TestApp-Plugin-PasswordAuth/t/01-tokengen.t
>    jifty/trunk/t/TestApp-Plugin-REST/lib/TestApp/Plugin/REST/Dispatcher.pm
>    jifty/trunk/t/TestApp/t/05-editactions-Cachable.t
>    jifty/trunk/t/TestApp/t/05-editactions-Record.t
> 
> Log:
>  r50714 at onn:  sartak | 2008-01-24 08:13:32 -0500
>  Security fix: Deny all actions (except Autocomplete and Redirect) on GET. You must whitelist actions known to be safe, such as with:
>      before '*' => run { Jifty->api->allow('CustomSearch') };
> 
> 
> Modified: jifty/trunk/lib/Jifty/API.pm
> ==============================================================================
> --- jifty/trunk/lib/Jifty/API.pm	(original)
> +++ jifty/trunk/lib/Jifty/API.pm	Thu Jan 24 08:13:53 2008
> @@ -138,6 +138,24 @@
>      );
>  }
>  
> +=head2 deny_for_get
> +
> +Denies all actions except L<Jifty::Action::Autocomplete> and
> +L<Jifty::Action::Redirect>. This is to protect against a common cross-site
> +scripting hole. In your C<before> dispatcher rules, you can whitelist actions
> +that are known to be read-only.
> +
> +This is called automatically during any C<GET> request.
> +
> +=cut
> +
> +sub deny_for_get {
> +    my $self = shift;
> +    $self->deny(qr/.*/);
> +    $self->allow("Jifty::Action::Autocomplete");
> +    $self->allow("Jifty::Action::Redirect");
> +}
> +
>  =head2 allow RESTRICTIONS
>  
>  Takes a list of strings or regular expressions, and adds them in order
> 
> Modified: jifty/trunk/lib/Jifty/Dispatcher.pm
> ==============================================================================
> --- jifty/trunk/lib/Jifty/Dispatcher.pm	(original)
> +++ jifty/trunk/lib/Jifty/Dispatcher.pm	Thu Jan 24 08:13:53 2008
> @@ -838,6 +838,9 @@
>  
>      $self->log->debug("Dispatching request to ".$self->{path});
>  
> +    # Disable most actions on GET requests
> +    Jifty->api->deny_for_get() if $self->_match_method('GET');
> +
>      # Setup -- we we don't abort out of setup, then run the
>      # actions and then the RUN stage.
>      if ($self->_handle_stage('SETUP')) {
> 
> Modified: jifty/trunk/t/Continuations/lib/Continuations/Dispatcher.pm
> ==============================================================================
> --- jifty/trunk/t/Continuations/lib/Continuations/Dispatcher.pm	(original)
> +++ jifty/trunk/t/Continuations/lib/Continuations/Dispatcher.pm	Thu Jan 24 08:13:53 2008
> @@ -1,6 +1,12 @@
>  package Continuations::Dispatcher;
>  use Jifty::Dispatcher -base;
>  
> +# whitelist these read-only actions
> +before '*' => run {
> +    Jifty->api->allow('GetGrail');
> +    Jifty->api->allow('CrossBridge');
> +};
> +
>  my $before = 0;
>  before '/tutorial' => run {
>      unless (Jifty->web->session->get('got_help')) {
> 
> Modified: jifty/trunk/t/TestApp-Plugin-PasswordAuth/t/01-tokengen.t
> ==============================================================================
> --- jifty/trunk/t/TestApp-Plugin-PasswordAuth/t/01-tokengen.t	(original)
> +++ jifty/trunk/t/TestApp-Plugin-PasswordAuth/t/01-tokengen.t	Thu Jan 24 08:13:53 2008
> @@ -13,7 +13,7 @@
>  use lib 't/lib';
>  use Jifty::SubTest;
>  
> -use Jifty::Test tests => 6;
> +use Jifty::Test tests => 5;
>  use Jifty::Test::WWW::Mechanize;
>  
>  my $server  = Jifty::Test->make_server;
> @@ -26,8 +26,7 @@
>  
>  # {{{ Get token for logging in with a JS-based md5-hashed password
>  my $service='/__jifty/webservices/yaml';
> -my $service_request ="$URL$service?J:A-moniker=GeneratePasswordToken&J:A:F-email-moniker=gooduser\@example.com"; 
> -$mech->get_ok($service_request, "Token-generating webservice $service_request exists");
> +$mech->post("$URL/$service", {"J:A-moniker" => "GeneratePasswordToken", "J:A:F-email-moniker" => 'gooduser at example.com'});
>  
>  # XXX needs to be more precise in checking for the token, but this works
>  # as long as we're using time() for the token
> 
> Modified: jifty/trunk/t/TestApp-Plugin-REST/lib/TestApp/Plugin/REST/Dispatcher.pm
> ==============================================================================
> --- jifty/trunk/t/TestApp-Plugin-REST/lib/TestApp/Plugin/REST/Dispatcher.pm	(original)
> +++ jifty/trunk/t/TestApp-Plugin-REST/lib/TestApp/Plugin/REST/Dispatcher.pm	Thu Jan 24 08:13:53 2008
> @@ -1,4 +1,8 @@
>  package TestApp::Plugin::REST::Dispatcher;
>  use Jifty::Dispatcher -base;
>  
> +before '*' => run {
> +    Jifty->api->allow('DoSomething');
> +};
> +
>  1;
> 
> Modified: jifty/trunk/t/TestApp/t/05-editactions-Cachable.t
> ==============================================================================
> --- jifty/trunk/t/TestApp/t/05-editactions-Cachable.t	(original)
> +++ jifty/trunk/t/TestApp/t/05-editactions-Cachable.t	Thu Jan 24 08:13:53 2008
> @@ -7,7 +7,7 @@
>  use Jifty::SubTest;
>  BEGIN { $ENV{'JIFTY_CONFIG'} = 't/config-Cachable' }
>  
> -use Jifty::Test tests => 8;
> +use Jifty::Test tests => 7;
>  use Jifty::Test::WWW::Mechanize;
>  
>  # Make sure we can load the model
> @@ -31,7 +31,14 @@
>  my $mech    = Jifty::Test::WWW::Mechanize->new();
>  
>  # Test action to update
> -$mech->get_ok($URL.'/editform?J:A-updateuser=TestApp::Action::UpdateUser&J:A:F:F-id-updateuser=1&J:A:F-name-updateuser=edituser&J:A:F-email-updateuser=newemail at example.com', "Form submitted");
> +$mech->post($URL.'/editform', {
> +    'J:A-updateuser' => 'TestApp::Action::UpdateUser',
> +    'J:A:F:F-id-updateuser' => 1,
> +    'J:A:F-name-updateuser' => 'edituser',
> +    'J:A:F-email-updateuser' => 'newemail at example.com',
> +    'J:A:F-tasty-updateuser' => '0'
> +}, "Form submitted");
> +
>  undef $o;
>  $o = TestApp::Model::User->new(current_user => $system_user);
>  $o->flush_cache;
> 
> Modified: jifty/trunk/t/TestApp/t/05-editactions-Record.t
> ==============================================================================
> --- jifty/trunk/t/TestApp/t/05-editactions-Record.t	(original)
> +++ jifty/trunk/t/TestApp/t/05-editactions-Record.t	Thu Jan 24 08:13:53 2008
> @@ -7,7 +7,7 @@
>  use Jifty::SubTest;
>  BEGIN { $ENV{'JIFTY_CONFIG'} = 't/config-Record' }
>  
> -use Jifty::Test tests => 11;
> +use Jifty::Test tests => 10;
>  use Jifty::Test::WWW::Mechanize;
>  # Make sure we can load the model
>  use_ok('TestApp::Model::User');
> @@ -32,7 +32,14 @@
>  my $mech    = Jifty::Test::WWW::Mechanize->new();
>  
>  # Test action to update
> -$mech->get_ok($URL.'/editform?J:A-updateuser=TestApp::Action::UpdateUser&J:A:F:F-id-updateuser=1&J:A:F-name-updateuser=edituser&J:A:F-email-updateuser=newemail at example.com&J:A:F-tasty-updateuser=0', "Form submitted");
> +$mech->post($URL.'/editform', {
> +    'J:A-updateuser' => 'TestApp::Action::UpdateUser',
> +    'J:A:F:F-id-updateuser' => 1,
> +    'J:A:F-name-updateuser' => 'edituser',
> +    'J:A:F-email-updateuser' => 'newemail at example.com',
> +    'J:A:F-tasty-updateuser' => '0'
> +}, "Form submitted");
> +
>  undef $o;
>  $o = TestApp::Model::User->new(current_user => $system_user);
>  $o->load($id);
> _______________________________________________
> Jifty-commit mailing list
> Jifty-commit at lists.jifty.org
> http://lists.jifty.org/cgi-bin/mailman/listinfo/jifty-commit
> 

--

More information about the jifty-devel mailing list