Redirect anonymous users to login page on loading validation results

VERIFIED FIXED in 6.1.6

Status

defect
VERIFIED FIXED
8 years ago
3 years ago

People

(Reporter: krupa.mozbugs, Assigned: andy+bugzilla)

Tracking

unspecified
6.1.6

Details

(Whiteboard: [patch][needs review], )

Attachments

(1 attachment)

Reporter

Description

8 years ago
steps to reproduce:
1. User is *not* logged-in.
2. Load https://addons-next.allizom.org/en-US/developers/upload/655732f159b7453f9a91eee9d6dc40e4

expected behavior:
User is redirected to the log in page

actual behavior:
Page is a 403 and shows 'Internal server error'
The 403 error is due to a CSRF validation failure to
https://addons-next.allizom.org/en-US/developers/upload/655732f159b7453f9a91eee9d6dc40e4/json

Normally I would say that CSRF protection isn't needed on read-only pages. However there are cross-domain attacks that source json blobs, e.g. a malicious page would include something like
<script src="https://addons-next.allizom.org/en-US/developers/upload/655732f159b7453f9a91eee9d6dc40e4/json">
then an attacker would modify JS object handlers to read the data.

The normal mitigation to this type of attack is to prefix the blob to prevent the JS interpreter from evaluating the object e.g.
while();//REST OF DATA
The clientside code would then strip out the "while();//" from the XHR response.

Since the CSRF token checking is preventing the attack right now... probably no reason to change it. I did notice that other views in the file are marked @csrf_view_exempt

As for the login issue, the supplied patch should fix it
Target Milestone: 6.1.3 → 6.1.4
Andy, can you review dchan's patch?
Assignee: nobody → dchan
Whiteboard: [patch][needs review]
It's a holiday in Canada.  kicking to next week.
Target Milestone: 6.1.4 → 6.1.5
Assignee: dchan → amckay
Target Milestone: 6.1.5 → 6.1.6
Assignee

Comment 4

8 years ago
Comment on attachment 541424 [details] [diff] [review]
require login to view validation results

Review of attachment 541424 [details] [diff] [review]:
-----------------------------------------------------------------
Attachment #541424 - Flags: review+
Assignee

Comment 5

8 years ago
http://github.com/jbalogh/zamboni/commit/8e034f

Thanks dchan.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.