You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by he...@apache.org on 2015/07/02 17:09:33 UTC
[18/23] allura git commit: [#7906] in login post,
pass a _session_id value in both POST and cookies, so it gets past CSRF checks
[#7906] in login post, pass a _session_id value in both POST and cookies, so it gets past CSRF checks
Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/276671bf
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/276671bf
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/276671bf
Branch: refs/heads/hs/7894
Commit: 276671bf22bc4c7a0c0f0ed3bd270a56642b63b5
Parents: 661c8d0
Author: Dave Brondsema <db...@slashdotmedia.com>
Authored: Mon Jun 29 18:01:36 2015 +0000
Committer: Heith Seewald <hs...@slashdotmedia.com>
Committed: Mon Jun 29 20:50:21 2015 +0000
----------------------------------------------------------------------
scripts/ApacheAccessHandler.py | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/allura/blob/276671bf/scripts/ApacheAccessHandler.py
----------------------------------------------------------------------
diff --git a/scripts/ApacheAccessHandler.py b/scripts/ApacheAccessHandler.py
index 1af3714..1ee9ebc 100644
--- a/scripts/ApacheAccessHandler.py
+++ b/scripts/ApacheAccessHandler.py
@@ -115,7 +115,11 @@ def check_authentication(req):
r = requests.post(auth_url, allow_redirects=False, data={
'username': username,
'password': password,
- 'return_to': '/login_successful'})
+ 'return_to': '/login_successful',
+ '_session_id': 'this-is-our-session',
+ }, cookies={
+ '_session_id': 'this-is-our-session',
+ })
return r.status_code == 302 and r.headers['location'].endswith('/login_successful')