mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 07:33:27 -06:00
86b073a7f0
Validate that the change_password and login_password endpoints verify the HTTP Referer header. There is some overlap in the tests: belt and suspenders. All endpoints except session/login_x509 are covered, sometimes having to rely on expected bad results (see the i18n endpoint). session/login_x509 is not tested yet as it requires significant additional setup in order to associate a user certificate with a user entry, etc. This can be manually verified by modifying /etc/httpd/conf.d/ipa.conf and adding: Satisfy Any Require all granted Then comment out Auth and SSLVerify, etc. and restart httpd. With a valid Referer will fail with a 401 and log that there is no KRB5CCNAME. This comes after the referer check. With an invalid Referer it will fail with a 400 Bad Request as expected. CVE-2023-5455 Signed-off-by: Rob Crittenden <rcritten@redhat.com> |
||
---|---|---|
.. | ||
azure | ||
man | ||
prci_definitions | ||
pytest_ipa | ||
test_cmdline | ||
test_custodia | ||
test_install | ||
test_integration | ||
test_ipaclient | ||
test_ipalib | ||
test_ipaplatform | ||
test_ipapython | ||
test_ipaserver | ||
test_ipatests_plugins | ||
test_webui | ||
test_xmlrpc | ||
__init__.py | ||
conftest.py | ||
create_external_ca.py | ||
data.py | ||
i18n.py | ||
ipa-run-tests | ||
ipa-test-config | ||
ipa-test-task | ||
Makefile.am | ||
setup.cfg | ||
setup.py | ||
test_util.py | ||
util.py |