[rietveld] push by jrobb...@chromium.org - Add XSRF checking and SSL certificate verification where they were mis... on 2015-02-12 20:20 GMT
1 view
Skip to first unread message
riet...@googlecode.com
Feb 12, 2015, 3:20:41 PM2/12/15
to coderev...@googlegroups.com
Revision: bd4a877547b2
Branch: default
Author: Jason Robbins <jrob...@chromium.org>
Date: Thu Feb 12 20:20:07 2015 UTC
Log: Add XSRF checking and SSL certificate verification where they
were missing in Rietveld.
Review URL: https://codereview.chromium.org/881283004/
https://code.google.com/p/rietveld/source/detail?r=bd4a877547b2
Modified:
/codereview/models.py
/codereview/views.py
/templates/block_user.html
=======================================
--- /codereview/models.py Wed Aug 20 20:35:16 2014 UTC
+++ /codereview/models.py Thu Feb 12 20:20:07 2015 UTC
@@ -856,7 +856,7 @@
url = utils.make_url(base, self.filename, rev)
logging.info('Fetching %s', url)
try:
- result = urlfetch.fetch(url)
+ result = urlfetch.fetch(url, validate_certificate=True)
except urlfetch.Error, err:
msg = 'Error fetching %s: %s: %s' % (url, err.__class__.__name__,
err)
logging.warn('FetchBase: %s', msg)
=======================================
--- /codereview/views.py Thu Aug 21 19:11:20 2014 UTC
+++ /codereview/views.py Thu Feb 12 20:20:07 2015 UTC
@@ -932,6 +932,7 @@
@deco.admin_required
@deco.user_key_required
+...@deco.xsrf_required
def block_user(request):
"""/user/<user>/block - Blocks a specific user."""
account = models.Account.get_account_for_user(request.user_to_show)
@@ -1368,7 +1369,7 @@
url = None
elif url:
try:
- fetch_result = urlfetch.fetch(url)
+ fetch_result = urlfetch.fetch(url, validate_certificate=True)
except Exception as err:
form.errors['url'] = [str(err)]
return None
=======================================
--- /templates/block_user.html Tue Jul 15 18:57:51 2014 UTC
+++ /templates/block_user.html Thu Feb 12 20:20:07 2015 UTC
@@ -11,6 +11,7 @@
<h2>Blocking {{viewed_account.email}} ({{viewed_account.nickname}})</h2>
<form action="{%url codereview.views.block_user viewed_account.email%}"
method="post">
+<input type="hidden" name="xsrf_token" value="{{xsrf_token}}">
<table class="formtable">
{{form}}
<tr><td><input type="submit" value="Update"></td></tr>
Branch: default
Author: Jason Robbins <jrob...@chromium.org>
Date: Thu Feb 12 20:20:07 2015 UTC
Log: Add XSRF checking and SSL certificate verification where they
were missing in Rietveld.
Review URL: https://codereview.chromium.org/881283004/
https://code.google.com/p/rietveld/source/detail?r=bd4a877547b2
Modified:
/codereview/models.py
/codereview/views.py
/templates/block_user.html
=======================================
--- /codereview/models.py Wed Aug 20 20:35:16 2014 UTC
+++ /codereview/models.py Thu Feb 12 20:20:07 2015 UTC
@@ -856,7 +856,7 @@
url = utils.make_url(base, self.filename, rev)
logging.info('Fetching %s', url)
try:
- result = urlfetch.fetch(url)
+ result = urlfetch.fetch(url, validate_certificate=True)
except urlfetch.Error, err:
msg = 'Error fetching %s: %s: %s' % (url, err.__class__.__name__,
err)
logging.warn('FetchBase: %s', msg)
=======================================
--- /codereview/views.py Thu Aug 21 19:11:20 2014 UTC
+++ /codereview/views.py Thu Feb 12 20:20:07 2015 UTC
@@ -932,6 +932,7 @@
@deco.admin_required
@deco.user_key_required
+...@deco.xsrf_required
def block_user(request):
"""/user/<user>/block - Blocks a specific user."""
account = models.Account.get_account_for_user(request.user_to_show)
@@ -1368,7 +1369,7 @@
url = None
elif url:
try:
- fetch_result = urlfetch.fetch(url)
+ fetch_result = urlfetch.fetch(url, validate_certificate=True)
except Exception as err:
form.errors['url'] = [str(err)]
return None
=======================================
--- /templates/block_user.html Tue Jul 15 18:57:51 2014 UTC
+++ /templates/block_user.html Thu Feb 12 20:20:07 2015 UTC
@@ -11,6 +11,7 @@
<h2>Blocking {{viewed_account.email}} ({{viewed_account.nickname}})</h2>
<form action="{%url codereview.views.block_user viewed_account.email%}"
method="post">
+<input type="hidden" name="xsrf_token" value="{{xsrf_token}}">
<table class="formtable">
{{form}}
<tr><td><input type="submit" value="Update"></td></tr>
Reply all
Reply to author
Forward
0 new messages