Uploaded image for project: 'Hue (READ ONLY)'
  1. Hue (READ ONLY)
  2. HUE-2394

[core] Fix Cross-site request forgery (CSRF) vulnerabilities

    Details

      Description

      HUE has CSRF vulnerbilities across the whole applications.
      For example, by submitting a HTTP POST request like below, the user "robin" currently logged at the HUE application site will unintentionally change his password to '1234'.

      [Request]
      POST /useradmin/users/edit/robin HTTP/1.1
      Host: localhost:8888
      User-Agent: ...
      Cookie: ...
      Content-Type: ...
      username=robin&password1=1234&password2=1234

      [Response]
      HTTP/1.1 302 FOUND
      X-Hue-JFrame-Path: /useradmin/users/edit/robin Vary: Accept-Language, Cookie
      Content-Type: text/html; charset=utf-8
      Location: localhost:8888/useradmin/users/edit/robin
      Content-Language: en-us
      Set-Cookie: ...

      This patch leverages Django's built-in django.middleware.csrf.CsrfViewMiddleware Middleware and csrf token to add csrf protection to all views.

        Attachments

          Activity

            People

            • Assignee:
              bhargava Bhargava Kalathuru
              Reporter:
              bhargava Bhargava Kalathuru
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: