Vulnerable to CSRF when Referer header omitted
Bug #529348 reported by
William Grant
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
High
|
Leonard Richardson |
Bug Description
canonical.
There may be concerns about causing problems for users who do not send Referer at all, but as of a couple of days ago login.ubuntu.com rejects such requests, and I believe Launchpad will use it for authentication soon.
Related branches
lp:~leonardr/launchpadlib/529348-fix
Merged
into
lp:launchpadlib
- Gary Poster: Approve
-
Diff: 71 lines (+15/-5)3 files modifiedsrc/launchpadlib/NEWS.txt (+7/-0)
src/launchpadlib/__init__.py (+1/-1)
src/launchpadlib/credentials.py (+7/-4)
Changed in launchpad-foundations: | |
status: | New → Triaged |
importance: | Undecided → High |
milestone: | none → 10.03 |
assignee: | nobody → Gary Poster (gary) |
Changed in launchpad-foundations: | |
assignee: | Gary Poster (gary) → Leonard Richardson (leonardr) |
Changed in launchpad-foundations: | |
status: | Fix Committed → Fix Released |
tags: |
added: qa-ok removed: qa-needstesting |
visibility: | private → public |
To post a comment you must log in.
I agree that closing this security hole is more important than supporting users who strip Referer.
Handling the user complaints may be painful. Maybe we'll already encounter the pain with login.ubuntu.com, as you say.
Looks like all we'd have to do is drop the two lines ``if not referrer: return``.
Thanks
Gary