diff --git a/README.md b/README.md index 323a5b28..5cde2cb9 100644 --- a/README.md +++ b/README.md @@ -113,6 +113,7 @@ This releases include a security fix. If you are using an earlier version, you s * Support MarkupSafe<3 for Debian bookworm * Mitigate CSRF on user's notification settings #216 [CVE-2022-3233](https://nvd.nist.gov/vuln/detail/CVE-2022-3233) +* Mitigate CSRF on repository settings #217 ## 2.4.5 (2002-09-16) diff --git a/rdiffweb/controller/page_settings.py b/rdiffweb/controller/page_settings.py index 5f1c28f6..d7631474 100644 --- a/rdiffweb/controller/page_settings.py +++ b/rdiffweb/controller/page_settings.py @@ -36,12 +36,13 @@ class SettingsPage(Controller): ) def default(self, path=b"", action=None, **kwargs): repo_obj = self.app.store.get_repo(path) - if kwargs.get('keepdays'): - return self._remove_older(repo_obj, **kwargs) - elif kwargs.get('new_encoding'): - return self._set_encoding(repo_obj, **kwargs) - elif kwargs.get('maxage'): - return self._set_maxage(repo_obj, **kwargs) + if cherrypy.request.method == 'POST': + if kwargs.get('keepdays'): + return self._remove_older(repo_obj, **kwargs) + elif kwargs.get('new_encoding'): + return self._set_encoding(repo_obj, **kwargs) + elif kwargs.get('maxage'): + return self._set_maxage(repo_obj, **kwargs) # Get page data. params = { 'repo': repo_obj, diff --git a/rdiffweb/controller/tests/test_page_settings.py b/rdiffweb/controller/tests/test_page_settings.py index 3adabf99..03415cb9 100644 --- a/rdiffweb/controller/tests/test_page_settings.py +++ b/rdiffweb/controller/tests/test_page_settings.py @@ -59,6 +59,15 @@ def test_set_maxage(self): repo_obj = self.app.store.get_user('admin').get_repo(self.REPO) self.assertEqual(4, repo_obj.maxage) + def test_set_maxage_method_get(self): + # When trying to update maxage with GET method + self.getPage("/settings/" + self.USERNAME + "/" + self.REPO + "/?maxage=4") + # Then page return without error + self.assertStatus(200) + # Then database is not updated + repo_obj = self.app.store.get_user('admin').get_repo(self.REPO) + self.assertEqual(0, repo_obj.maxage) + def test_does_not_exists(self): # Given an invalid repo repo = 'invalid' diff --git a/rdiffweb/controller/tests/test_page_settings_remove_older.py b/rdiffweb/controller/tests/test_page_settings_remove_older.py index 4e99b903..74e0d2d6 100644 --- a/rdiffweb/controller/tests/test_page_settings_remove_older.py +++ b/rdiffweb/controller/tests/test_page_settings_remove_older.py @@ -77,3 +77,13 @@ def test_as_another_user(self): # Browse admin's repos self._remove_older('anotheruser', 'testcases', '2') self.assertStatus('403 Forbidden') + + def test_set_keepdays_method_get(self): + # When trying update keepdays with method GET + self.getPage("/settings/" + self.USERNAME + "/" + self.REPO + "/?keepdays=4") + # Then pge return without error + self.assertStatus(200) + # Then database is not updated + user = self.app.store.get_user(self.USERNAME) + repo = user.get_repo(self.REPO) + self.assertEqual(-1, repo.keepdays) diff --git a/rdiffweb/controller/tests/test_page_settings_set_encoding.py b/rdiffweb/controller/tests/test_page_settings_set_encoding.py index 562e83fa..92fcee7e 100644 --- a/rdiffweb/controller/tests/test_page_settings_set_encoding.py +++ b/rdiffweb/controller/tests/test_page_settings_set_encoding.py @@ -113,3 +113,13 @@ def test_as_another_user(self): # Browse admin's repos self._set_encoding('anotheruser', 'testcases', 'utf-8') self.assertStatus('403 Forbidden') + + def test_set_encoding_method_get(self): + # When trying to update encoding with method GET + self.getPage("/settings/admin/testcases/?new_encoding=cp1252") + # Then page return without error + self.assertStatus(200) + # Then database is not updated + user = self.app.store.get_user(self.USERNAME) + repo = user.get_repo(self.REPO) + self.assertEqual('utf-8', repo.encoding)