Closed
Bug 880894
Opened 12 years ago
Closed 12 years ago
Implement CSRF protection for MakeAPI
Categories
(Webmaker Graveyard :: MakeAPI, defect)
Webmaker Graveyard
MakeAPI
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: jon, Assigned: cade)
Details
(Whiteboard: s=2013w24 p=1)
Attachments
(1 file)
No description provided.
Updated•12 years ago
|
Whiteboard: s=2013w24 → s=2013w24 p=1
Updated•12 years ago
|
Assignee: pomax → chris
Assignee | ||
Comment 1•12 years ago
|
||
This patch adds the express.csrf() middleware to routes that use our Webmaker SSO to make authenticated API calls. ( The Login/Admin pages )
I added the option for a csrf token in the Make API client code so that it can be applied to the header of requests.
Regular routes that are used by our trusted apps and through basic authentication do not need csrf protection since they can't be loaded into an iframe and abused by an attacker. Also, searching doesn't change the state of the session/database and thus does not need CSRF protection either.
Attachment #760395 -
Flags: review?(jon)
Updated•12 years ago
|
Severity: normal → blocker
Reporter | ||
Comment 2•12 years ago
|
||
Comment on attachment 760395 [details] [review]
https://github.com/mozilla/MakeAPI/pull/81
r+ with nits, I think you can delete the reference to the CSRF token in the node strategy.
Attachment #760395 -
Flags: review?(jon) → review+
Comment 3•12 years ago
|
||
Commit pushed to master at https://github.com/mozilla/MakeAPI
https://github.com/mozilla/MakeAPI/commit/673b62980eff38522fdc870d8bc0994dd300de3f
Fix Bug 880894 - Add CSRF middleware to protect vulnerable admin routes and paths
Updated•12 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Updated•11 years ago
|
Attachment mime type: text/plain → text/x-github-pull-request
Comment 4•11 years ago
|
||
I,m the only user Jeffery hill Sr of 2300 so caraway rd rm 207 Jonesboro AR 72401 3134559189,Jefferyhill835@yahoo.com,ho
You need to log in
before you can comment on or make changes to this bug.
Description
•