Details
-
Type: Improvement
-
Status: Resolved
-
Priority: Major
-
Resolution: Fixed
-
Affects Version/s: 3.6.0
-
Fix Version/s: 3.8.0
-
Component/s: app.catalog, app.dashboard, app.editor, app.filebrowser, con.hbase, con.hive, con.oozie, con.spark, con.sqoop, con.zookeeper, core.ui, core.users
-
Labels:
-
Target Version:
Description
HUE has CSRF vulnerbilities across the whole applications.
For example, by submitting a HTTP POST request like below, the user "robin" currently logged at the HUE application site will unintentionally change his password to '1234'.
[Request]
POST /useradmin/users/edit/robin HTTP/1.1
Host: localhost:8888
User-Agent: ...
Cookie: ...
Content-Type: ...
username=robin&password1=1234&password2=1234
[Response]
HTTP/1.1 302 FOUND
X-Hue-JFrame-Path: /useradmin/users/edit/robin Vary: Accept-Language, Cookie
Content-Type: text/html; charset=utf-8
Location: localhost:8888/useradmin/users/edit/robin
Content-Language: en-us
Set-Cookie: ...
This patch leverages Django's built-in django.middleware.csrf.CsrfViewMiddleware Middleware and csrf token to add csrf protection to all views.