mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
86b073a7f0
Validate that the change_password and login_password endpoints verify the HTTP Referer header. There is some overlap in the tests: belt and suspenders. All endpoints except session/login_x509 are covered, sometimes having to rely on expected bad results (see the i18n endpoint). session/login_x509 is not tested yet as it requires significant additional setup in order to associate a user certificate with a user entry, etc. This can be manually verified by modifying /etc/httpd/conf.d/ipa.conf and adding: Satisfy Any Require all granted Then comment out Auth and SSLVerify, etc. and restart httpd. With a valid Referer will fail with a 401 and log that there is no KRB5CCNAME. This comes after the referer check. With an invalid Referer it will fail with a 400 Bad Request as expected. CVE-2023-5455 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
61 lines
2.0 KiB
Python
61 lines
2.0 KiB
Python
# Authors:
|
|
# Martin Kosek <mkosek@redhat.com>
|
|
#
|
|
# Copyright (C) 2012 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
"""
|
|
Base class for HTTP request tests
|
|
"""
|
|
|
|
import urllib
|
|
|
|
from ipalib import api, util
|
|
|
|
|
|
class Unauthorized_HTTP_test:
|
|
"""
|
|
Base class for simple HTTP request tests executed against URI
|
|
with no required authorization
|
|
"""
|
|
app_uri = ''
|
|
host = api.env.host
|
|
cacert = api.env.tls_ca_cert
|
|
content_type = 'application/x-www-form-urlencoded'
|
|
accept_language = 'en-us'
|
|
|
|
def send_request(self, method='POST', params=None, host=None):
|
|
"""
|
|
Send a request to HTTP server
|
|
|
|
:param key When not None, overrides default app_uri
|
|
"""
|
|
if params is not None:
|
|
if self.content_type == 'application/x-www-form-urlencoded':
|
|
params = urllib.parse.urlencode(params, True)
|
|
if host:
|
|
url = 'https://' + host + self.app_uri
|
|
else:
|
|
url = 'https://' + self.host + self.app_uri
|
|
|
|
headers = {'Content-Type': self.content_type,
|
|
'Accept-Language': self.accept_language,
|
|
'Referer': url}
|
|
|
|
conn = util.create_https_connection(
|
|
self.host, cafile=self.cacert)
|
|
conn.request(method, self.app_uri, params, headers)
|
|
return conn.getresponse()
|