From 18a5aabd48fa6d2d2771a25f95610c28a1a097ca Mon Sep 17 00:00:00 2001 From: Patrik Dufresne Date: Tue, 20 Sep 2022 07:59:53 -0400 Subject: [PATCH] Mitigate CSRF on notification #216 --- README.md | 1 + rdiffweb/controller/pref_notification.py | 4 +++- rdiffweb/controller/tests/test_page_prefs.py | 12 ++++++++++++ 3 files changed, 16 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 10bb7ee7..323a5b28 100644 --- a/README.md +++ b/README.md @@ -112,6 +112,7 @@ Professional support for Rdiffweb is available by contacting [IKUS Soft](https:/ This releases include a security fix. If you are using an earlier version, you should upgrade to this release immediately. * Support MarkupSafe<3 for Debian bookworm +* Mitigate CSRF on user's notification settings #216 [CVE-2022-3233](https://nvd.nist.gov/vuln/detail/CVE-2022-3233) ## 2.4.5 (2002-09-16) diff --git a/rdiffweb/controller/pref_notification.py b/rdiffweb/controller/pref_notification.py index 855c0efd..1e62f7e6 100644 --- a/rdiffweb/controller/pref_notification.py +++ b/rdiffweb/controller/pref_notification.py @@ -21,6 +21,8 @@ import logging +import cherrypy + from rdiffweb.controller import Controller, validate_int from rdiffweb.tools.i18n import ugettext as _ @@ -45,7 +47,7 @@ def _handle_set_notification_info(self, **kwargs): def render_prefs_panel(self, panelid, action=None, **kwargs): # @UnusedVariable # Process the parameters. - if action == "set_notification_info": + if cherrypy.request.method == 'POST' and action == "set_notification_info": self._handle_set_notification_info(**kwargs) params = { diff --git a/rdiffweb/controller/tests/test_page_prefs.py b/rdiffweb/controller/tests/test_page_prefs.py index 0f098073..77dae001 100644 --- a/rdiffweb/controller/tests/test_page_prefs.py +++ b/rdiffweb/controller/tests/test_page_prefs.py @@ -139,6 +139,18 @@ def test_update_notification(self): repo_obj = self.app.store.get_user(self.USERNAME).get_repo(self.REPO) self.assertEqual(7, repo_obj.maxage) + def test_update_notification_method_get(self): + # Given a user with repositories + # When trying to update notification with GET method + self.getPage("/prefs/notification?action=set_notification_info&testcases=7") + # Then page return with success + self.assertStatus(200) + # Then page doesn't update values + self.assertNotInBody('Notification settings updated successfully.') + # Then database is not updated + repo_obj = self.app.store.get_user(self.USERNAME).get_repo(self.REPO) + self.assertEqual(0, repo_obj.maxage) + def test_get_page(self): self.getPage("/prefs/", method='GET') self.assertInBody("SSH")