mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 07:33:27 -06:00
86b073a7f0
Validate that the change_password and login_password endpoints verify the HTTP Referer header. There is some overlap in the tests: belt and suspenders. All endpoints except session/login_x509 are covered, sometimes having to rely on expected bad results (see the i18n endpoint). session/login_x509 is not tested yet as it requires significant additional setup in order to associate a user certificate with a user entry, etc. This can be manually verified by modifying /etc/httpd/conf.d/ipa.conf and adding: Satisfy Any Require all granted Then comment out Auth and SSLVerify, etc. and restart httpd. With a valid Referer will fail with a 401 and log that there is no KRB5CCNAME. This comes after the referer check. With an invalid Referer it will fail with a 400 Bad Request as expected. CVE-2023-5455 Signed-off-by: Rob Crittenden <rcritten@redhat.com> |
||
|---|---|---|
| .. | ||
| data | ||
| test_install | ||
| __init__.py | ||
| httptest.py | ||
| test_adtrust_mockup.py | ||
| test_changepw.py | ||
| test_dnssec.py | ||
| test_i18n_messages.py | ||
| test_ipap11helper.py | ||
| test_jsplugins.py | ||
| test_kadmin.py | ||
| test_ldap.py | ||
| test_login_password.py | ||
| test_migratepw.py | ||
| test_otptoken_import.py | ||
| test_referer.py | ||
| test_rpcserver.py | ||
| test_secrets.py | ||
| test_secure_ajp_connector.py | ||
| test_serverroles.py | ||
| test_topology_plugin.py | ||
| test_version_comparison.py | ||