Quantcast

Anti-csrf measures and props-only permissions on mainline.

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Anti-csrf measures and props-only permissions on mainline.

John P. Rouillard
Hi all:

I just pushed the change to define permissions that only apply to
properties and the anti-csrf measures to the repo. I think I finally
got it righter (read the checkin log for a chuckle).

Please test and work with these changes if you can.

If the docs are confusing let me know and we can work on fixing them.

Thanks.

--
                                -- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Roundup-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/roundup-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Anti-csrf measures and props-only permissions on mainline.

Joseph S. Myers
On Sat, 18 Mar 2017, John P. Rouillard wrote:

> Hi all:
>
> I just pushed the change to define permissions that only apply to
> properties and the anti-csrf measures to the repo. I think I finally
> got it righter (read the checkin log for a chuckle).
>
> Please test and work with these changes if you can.
>
> If the docs are confusing let me know and we can work on fixing them.

I don't see any changes to the provided templates in
share/roundup/templates/*/html - do they not need any changes to support
the anti-CSRF feature?

--
Joseph S. Myers
[hidden email]

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Roundup-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/roundup-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Anti-csrf measures and props-only permissions on mainline.

John P. Rouillard
In message <[hidden email]>,
Joseph Myers writes:

>On Sat, 18 Mar 2017, John P. Rouillard wrote:
>> I just pushed the change to define permissions that only apply to
>> properties and the anti-csrf measures to the repo. I think I finally
>> got it righter (read the checkin log for a chuckle).
>>
>> Please test and work with these changes if you can.
>>
>> If the docs are confusing let me know and we can work on fixing them.
>
>I don't see any changes to the provided templates in
>share/roundup/templates/*/html - do they not need any changes to support
>the anti-CSRF feature?

Good point. I need to convert some of those.

If the form/template uses the standard

  <... tal:content="structure context/submit" >

submit call you get the csrf stuff automatically. So you should have
the issue item pages protected by csrf.

In the standard enforcement mode, if the @csrf (anti-csrf) field is
missing the form will be accepted. So you can log in 8-).

I can probably have the classic template converted at least in an hour
or so.

I'll let you know when I push the updated template.

--
                                -- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Roundup-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/roundup-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Anti-csrf measures and props-only permissions on mainline.

Ralf Schlatterbeck-3
On Sat, Mar 18, 2017 at 10:40:13PM -0400, John P. Rouillard wrote:

> >I don't see any changes to the provided templates in
> >share/roundup/templates/*/html - do they not need any changes to support
> >the anti-CSRF feature?
>
> Good point. I need to convert some of those.
>
> If the form/template uses the standard
>
>   <... tal:content="structure context/submit" >
>
> submit call you get the csrf stuff automatically. So you should have
> the issue item pages protected by csrf.

John, thanks for implementing this -- especially for the config options
to roll this out in a testing mode first. I'll try to get this rolled
out in a production tracker on next occasion (but don't hold your
breath).

Ralf
--
Dr. Ralf Schlatterbeck                  Tel:   +43/2243/26465-16
Open Source Consulting                  www:   http://www.runtux.com
Reichergasse 131, A-3411 Weidling       email: [hidden email]

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Roundup-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/roundup-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Anti-csrf measures and props-only permissions on mainline.

John P. Rouillard
Hi Ralf:

In message <[hidden email]>,
Ralf Schlatterbeck writes:

>On Sat, Mar 18, 2017 at 10:40:13PM -0400, John P. Rouillard wrote:
>> Joseph Myers writes:
>> >I don't see any changes to the provided templates in
>> >share/roundup/templates/*/html - do they not need any
>> >changes to support the anti-CSRF feature?
>>
>> Good point. I need to convert some of those.
>>
>> If the form/template uses the standard
>>
>>   <... tal:content="structure context/submit" >
>>
>> submit call you get the csrf stuff automatically. So you
>> should have the issue item pages protected by csrf.
>
>John, thanks for implementing this -- especially for the config options
>to roll this out in a testing mode first.

There is a fair amount of work to convert a tracker to using
csrf. So having a testing/lax enforcement mode (also a
report only mode) seemed required.

For posterity to convert the trackers (including mine) I used:

  cd html
  grep -i 'type=.submit.' *.html

Then I went through all the hits. For each hit, I checked to
see if the the submit field was using the template submit
function. If it was I moved on to the next grep entry.

If it wasn't using the submit function, I looked at the
enclosing <form> tag to see if it was using
method='post'. If it was not, move to the next grep hit.

Start aside: now that I think of it, a token in a get
context can be used to submit a post request. The token
in the get request is more exposed. However I do not revoke
the token if used in a get request. While it is best to not
send one, it probably needs to be revoked if it is
present. Sigh more code/tests. End of aside.

If it was a post, I inserted the @csrf field either before
the @action or before the submit button.

I then repeated the checks above using the results of:

  grep -i method=.post. *.html

and verifying I caught all the forms.

It looks like the responsive and devel templates may be
using GET for some data change actions. However if it is a
data changing form that wasn't modified to use post, they
will fail since the Edit and other data changing actions
require the method to be POST.

I hope I got the changes to the jinja template right. I
don't have jinja installed anywhere that I can test.

>I'll try to get this rolled out in a production tracker on
>next occasion (but don't hold your breath).

Sounds good. I have been using demo mode for a fast sanity
check. Existing trackers will need some mods to fully use
the changes.

Now to see what else I need to do to get CSP's inplemented.
I doubt that work will be finished for the 1.6.0 release.

Have a good week.

--
                                -- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Roundup-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/roundup-devel
Loading...