[checkmk-commits] [tribe29/checkmk] ea0dad: CSRF framework introduction

Branch: refs/heads/master Home: https://github.com/tribe29/checkmk Commit: ea0dadb329738e959ba7372c8e2d4b093b7206dc https://github.com/tribe29/checkmk/commit/ea0dadb329738e959ba7372c8e2d4b093… Author: Maximilian Wirtz <maximilian.wirtz(a)tribe29.com> Date: 2022-05-23 (Mon, 23 May 2022) Changed paths: M cmk/gui/htmllib/html.py M cmk/gui/pages.py M cmk/gui/type_defs.py A cmk/gui/utils/csrf_token.py M tests/unit/cmk/gui/test_userdb.py M web/htdocs/js/modules/ajax.js Log Message: ----------- CSRF framework introduction Previously the mitigation for CSRF were the transaction ids. Since they are not used everywhere and not usable everywhere a new mitigation is implemented. The CSRF token is bound on the server side to the session and is a UUID. It is written to every page as a JavaScript variable and included in all forms as a hidden field. The Page class now has a method to validate the existence and correctness of this CSRF token and will raise an error if no token or an invalid one is provided. If no session context is present, no token is written and none is checked! Change-Id: I5539eb30520efa10f77c17c64a29c67bf1af39f3