Opened 18 years ago
Closed 18 years ago
#1011 closed enhancement (wontfix)
Authentication Form cookie verification
Reported by: | prunille | Owned by: | Matt Good |
---|---|---|---|
Priority: | normal | Component: | AccountManagerPlugin |
Severity: | normal | Keywords: | Form Auth Input |
Cc: | freesoitj@… | Trac Release: | 0.10 |
Description
I try to set up a SSO front of Trac and it is no real SSO but only credentials replay with Vulture NG. The system submits the received cookie and some inputs but not all since I believe it can not send dynamic hidden inputs.
Can someone explain why dynamic hidden inputs need to be inserted in the authent form?
Regards, Prunille
Attachments (0)
Change History (7)
comment:1 Changed 18 years ago by
comment:2 Changed 18 years ago by
Thanks a lot. I didn't know about this one! I guess this is especially bad in a SSO environnement. But I still don't understand how the token can prevent CRSF queries.
If the malicious code go directly to the POST, it doesn't get the cookie. If the script can get the form first, it has the cookie and the input. It can send them both.
So, I would think the cookie is enough to prevent direct access to the POST and input is not enough to prevent anything more since the script must had done a GET first to get the cookie. It is then possible to get the inputs as well.
Anyway, do you know a mean to go over?
comment:3 Changed 18 years ago by
TracForge? already implements SSO for Trac, have you tried using that. Depending on your exact needs it might be a good start. If you have further questions you can usually find me on #trac.
comment:4 Changed 18 years ago by
Type: | defect → enhancement |
---|
No, I hadn't even had a look at TracForge but I may need it in the future. For now, I am only concerned with SSO between a trac environnement and some other applications like a webmail, a portal and so on... So my need is to use a product like vulture to spread the word to every system.
I changed the ticket as enhancement since you explained to me why this was done even if I don't completely understand (see my previous post). So the enhancement could be to give the admin a configuration option to enable or disable this checking.
Regards,
comment:5 Changed 18 years ago by
A CSRF attack is done by a malicious Javascript posting data from the user's browser and exploits the fact that the browser does have the cookie it needs to authenticate. See trac:#4049 and the links it provides for an explanation of the issue.
I'm always reluctant to provide workarounds for security measures, so I'm not committed to committing this yet, but I believe this patch should enable bypassing the token checking if you add "disable_csrf_protection = true" under the "account-manager" section in trac.ini:
-
acct_mgr/web_ui.py
16 16 17 17 from trac import perm, util 18 18 from trac.core import * 19 from trac.config import IntOption 19 from trac.config import IntOption, BoolOption 20 20 from trac.notification import NotificationSystem, NotifyEmail 21 from trac.web import auth 22 from trac.web.api import IAuthenticator 23 from trac.web.main import IRequestHandler 21 from trac.web import auth, IAuthenticator, IRequestFilter, IRequestHandler 24 22 from trac.web.chrome import INavigationContributor, ITemplateProvider 25 23 from trac.util import Markup 26 24 … … 337 335 338 336 class LoginModule(auth.LoginModule): 339 337 340 implements(ITemplateProvider )338 implements(ITemplateProvider, IRequestFilter) 341 339 340 disable_csrf_protection = BoolOption('account-manager', 'disable_csrf_protection') 341 342 def pre_process_request(self, req, handler): 343 if handler is self and self.disable_csrf_protection: 344 req.args['__FORM_TOKEN'] = req.form_token 345 return handler 346 347 def post_process_request(self, template, content_type): 348 return (template, content_type) 349 342 350 def authenticate(self, req): 343 351 if req.method == 'POST' and req.path_info.startswith('/login'): 344 352 req.environ['REMOTE_USER'] = self._remote_user(req)
comment:6 Changed 18 years ago by
What you really want is not related to AccountManager. You want to make a new authentication plugin that works with Vulture. Vulture looks somewhat similar to CAS, so you could use the TracCasPlugin as a starting point.
comment:7 Changed 18 years ago by
Resolution: | → wontfix |
---|---|
Status: | new → closed |
Yes, I think I agree with coderanger here. You're welcome to patch your AccountManager if you want, but I don't think it's a good idea to hack around this in the official release.
This is part of the CSRF protection introduced in 0.10.2. All POSTs must be accompanied by a token which is verified by the server.