Branch: refs/heads/2.0.0
Home:
https://github.com/tribe29/checkmk
Commit: d7cbb2f0bb2d46312f72c68a8463aaee78e677c3
https://github.com/tribe29/checkmk/commit/d7cbb2f0bb2d46312f72c68a8463aaee7…
Author: Maximilian Wirtz <maximilian.wirtz(a)tribe29.com>
Date: 2022-06-03 (Fri, 03 Jun 2022)
Changed paths:
A .werks/13903
M cmk/gui/htmllib.py
M cmk/gui/node_visualization.py
M cmk/gui/sidebar.py
M cmk/gui/userdb.py
A cmk/gui/utils/csrf_token.py
M cmk/gui/views.py
M cmk/gui/wato/pages/activate_changes.py
M cmk/gui/wato/pages/folders.py
M cmk/gui/wato/pages/host_diagnose.py
M cmk/gui/wato/pages/services.py
M cmk/gui/wato/user_profile.py
M tests/unit/cmk/gui/test_userdb.py
M web/htdocs/js/modules/ajax.js
M web/htdocs/js/modules/dashboard.js
M web/htdocs/js/modules/host_diagnose.js
M web/htdocs/js/modules/service_discovery.js
M web/htdocs/js/modules/sidebar.js
Log Message:
-----------
13903 SEC Introduce additional CSRF checks
This is the pick of two changes:
- I5539eb30520efa10f77c17c64a29c67bf1af39f3
- Ic709514c4e0f00c1aeeeede8aaf4c388007fcd7a
Previously the mitigation for CSRF were the transaction ids. Since they
are not used everywhere and not usable everywhere a new mitigation is
implemented.
The CSRF token is bound on the server side to the session and is a UUID.
It is written to every page as a JavaScript variable and included in all
forms as a hidden field.
The Page class now has a method to validate the existence and
correctness of this CSRF token and will raise an error if no token or an
invalid one is provided.
If no session context is present, no token is written and none is
checked!
Change-Id: Ic709514c4e0f00c1aeeeede8aaf4c388007fcd7a