[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Freeipa-devel] [PATCH] resend enable sessions in the GUI



This enables server-side file-based sessions on the server side. In production the sessions will be stored in /var/cache/ipa.

I've also added a simple mechanism to try ensure that a record that is being updated is the record that was last edited. This is an attempt around a phishing attack that might trick a user to click on a link that will do a POST and update their password in the UI.

rob
# HG changeset patch
# User Rob Crittenden <rcritten redhat com>
# Date 1199383656 18000
# Node ID 87dcf09d9f5823bc6bd0f38f2b51519e90356dc1
# Parent  dc6be0aa631dd5e3ab453488b15a09111a4fb5de
Enable server-side sessions. It is currently using files for sessions.

diff -r dc6be0aa631d -r 87dcf09d9f58 ipa-server/ipa-gui/dev.cfg
--- a/ipa-server/ipa-gui/dev.cfg	Thu Jan 03 09:29:58 2008 -0500
+++ b/ipa-server/ipa-gui/dev.cfg	Thu Jan 03 13:07:36 2008 -0500
@@ -35,6 +35,12 @@ visit.manager='proxyvisit'
 
 # for Windows users, sqlite URIs look like:
 # sqlobject.dburi="sqlite:///drive_letter:/path/to/file"
+
+# TurboGears sessions. Storing in /tmp for a production system would be
+# insane but should be fine for developers.
+session_filter.on = True
+session_filter.storage_type='File'
+session_filter.storage_path='/tmp'
 
 # SERVER
 
diff -r dc6be0aa631d -r 87dcf09d9f58 ipa-server/ipa-gui/ipa-webgui.cfg
--- a/ipa-server/ipa-gui/ipa-webgui.cfg	Thu Jan 03 09:29:58 2008 -0500
+++ b/ipa-server/ipa-gui/ipa-webgui.cfg	Thu Jan 03 13:07:36 2008 -0500
@@ -47,6 +47,12 @@ server.thread_pool = 10
 # Set to True if you'd like to abort execution if a controller gets an
 # unexpected parameter. False by default
 # tg.strict_parameters = False
+
+# TurboGears sessions. 
+session_filter.on = True
+session_filter.storage_type='File'
+session_filter.storage_path='/var/cache/ipa'
+
 
 # LOGGING
 # Logging configuration generally follows the style of the standard
diff -r dc6be0aa631d -r 87dcf09d9f58 ipa-server/ipa-gui/ipagui/subcontrollers/user.py
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/user.py	Thu Jan 03 09:29:58 2008 -0500
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/user.py	Thu Jan 03 13:07:36 2008 -0500
@@ -362,6 +362,10 @@ class UserController(IPAController):
                         ipaerror.exception_for(ipaerror.LDAP_DATABASE_ERROR)):
                     pass
 
+            # Set the uid we're editting in the session. If it doesn't match
+            # later the update will not be processed
+            cherrypy.session['uid'] = user_dict.get('uid')
+
             return dict(form=user_edit_form, user=user_dict,
                     user_groups=user_groups_dicts)
         except ipaerror.IPAError, e:
@@ -383,6 +387,14 @@ class UserController(IPAController):
         if kw.get('submit') == 'Cancel Edit':
             turbogears.flash("Edit user cancelled")
             raise turbogears.redirect('/user/show', uid=kw.get('uid'))
+
+        edituid = cherrypy.session.get('uid')
+        if not edituid or edituid != kw.get('uid'):
+            turbogears.flash("Something went wrong. You last viewed %s but are trying to update %s" % (kw.get('uid'), edituid))
+            raise turbogears.redirect('/user/show', uid=kw.get('uid'))
+
+        # We no longer need this
+        cherrypy.session['uid'] = None
 
         # Fix incoming multi-valued fields we created for the form
         kw = ipahelper.fix_incoming_fields(kw, 'cn', 'cns')
diff -r dc6be0aa631d -r 87dcf09d9f58 ipa-server/ipaserver/webguiinstance.py
--- a/ipa-server/ipaserver/webguiinstance.py	Thu Jan 03 09:29:58 2008 -0500
+++ b/ipa-server/ipaserver/webguiinstance.py	Thu Jan 03 13:07:36 2008 -0500
@@ -18,6 +18,7 @@
 #
 
 import service
+import os
 
 class WebGuiInstance(service.Service):
     def __init__(self):
@@ -26,4 +27,11 @@ class WebGuiInstance(service.Service):
     def create_instance(self):
         self.step("starting ipa-webgui", self.restart)
         self.step("configuring ipa-webgui to start on boot", self.chkconfig_on)
+        self.step("creating session cache directory", self.__create_cache_dir)
         self.start_creation("Configuring ipa-webgui")
+
+    def __create_cache_dir(self):
+        try:
+            os.makedirs("/var/cache/ipa", 0700)
+        except:
+            pass

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]