Branch: refs/heads/master
Home:
https://github.com/tribe29/checkmk
Commit: ea0dadb329738e959ba7372c8e2d4b093b7206dc
https://github.com/tribe29/checkmk/commit/ea0dadb329738e959ba7372c8e2d4b093…
Author: Maximilian Wirtz <maximilian.wirtz(a)tribe29.com>
Date: 2022-05-23 (Mon, 23 May 2022)
Changed paths:
M cmk/gui/htmllib/html.py
M cmk/gui/pages.py
M cmk/gui/type_defs.py
A cmk/gui/utils/csrf_token.py
M tests/unit/cmk/gui/test_userdb.py
M web/htdocs/js/modules/ajax.js
Log Message:
-----------
CSRF framework introduction
Previously the mitigation for CSRF were the transaction ids. Since they
are not used everywhere and not usable everywhere a new mitigation is
implemented.
The CSRF token is bound on the server side to the session and is a UUID.
It is written to every page as a JavaScript variable and included in all
forms as a hidden field.
The Page class now has a method to validate the existence and
correctness of this CSRF token and will raise an error if no token or an
invalid one is provided.
If no session context is present, no token is written and none is
checked!
Change-Id: I5539eb30520efa10f77c17c64a29c67bf1af39f3