mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-22 15:13:50 -06:00
86b073a7f0
Validate that the change_password and login_password endpoints verify the HTTP Referer header. There is some overlap in the tests: belt and suspenders. All endpoints except session/login_x509 are covered, sometimes having to rely on expected bad results (see the i18n endpoint). session/login_x509 is not tested yet as it requires significant additional setup in order to associate a user certificate with a user entry, etc. This can be manually verified by modifying /etc/httpd/conf.d/ipa.conf and adding: Satisfy Any Require all granted Then comment out Auth and SSLVerify, etc. and restart httpd. With a valid Referer will fail with a 401 and log that there is no KRB5CCNAME. This comes after the referer check. With an invalid Referer it will fail with a 400 Bad Request as expected. CVE-2023-5455 Signed-off-by: Rob Crittenden <rcritten@redhat.com> |
||
---|---|---|
.. | ||
data | ||
test_install | ||
__init__.py | ||
httptest.py | ||
test_adtrust_mockup.py | ||
test_changepw.py | ||
test_dnssec.py | ||
test_i18n_messages.py | ||
test_ipap11helper.py | ||
test_jsplugins.py | ||
test_kadmin.py | ||
test_ldap.py | ||
test_login_password.py | ||
test_migratepw.py | ||
test_otptoken_import.py | ||
test_referer.py | ||
test_rpcserver.py | ||
test_secrets.py | ||
test_secure_ajp_connector.py | ||
test_serverroles.py | ||
test_topology_plugin.py | ||
test_version_comparison.py |