Authentication Form cookie verification

[prunille]

I try to set up a SSO front of Trac and it is no real SSO but only credentials replay with Vulture NG. The system submits the received cookie and some inputs but not all since I believe it can not send dynamic hidden inputs.

Can someone explain why dynamic hidden inputs need to be inserted in the authent form?

Regards, Prunille

[Noah Kantrowitz]

This is part of the CSRF protection introduced in 0.10.2. All POSTs must be accompanied by a token which is verified by the server.

[prunille]

Thanks a lot. I didn't know about this one! I guess this is especially bad in a SSO environnement. But I still don't understand how the token can prevent CRSF queries.

If the malicious code go directly to the POST, it doesn't get the cookie. If the script can get the form first, it has the cookie and the input. It can send them both.

So, I would think the cookie is enough to prevent direct access to the POST and input is not enough to prevent anything more since the script must had done a GET first to get the cookie. It is then possible to get the inputs as well.

Anyway, do you know a mean to go over?

[Noah Kantrowitz]

TracForge? already implements SSO for Trac, have you tried using that. Depending on your exact needs it might be a good start. If you have further questions you can usually find me on #trac.

[prunille]

No, I hadn't even had a look at TracForge but I may need it in the future. For now, I am only concerned with SSO between a trac environnement and some other applications like a webmail, a portal and so on... So my need is to use a product like vulture to spread the word to every system.

I changed the ticket as enhancement since you explained to me why this was done even if I don't completely understand (see my previous post). So the enhancement could be to give the admin a configuration option to enable or disable this checking.

Regards,

[Matt Good]

A CSRF attack is done by a malicious Javascript posting data from the user's browser and exploits the fact that the browser does have the cookie it needs to authenticate. See ​trac:#4049 and the links it provides for an explanation of the issue.

I'm always reluctant to provide workarounds for security measures, so I'm not committed to committing this yet, but I believe this patch should enable bypassing the token checking if you add "disable_csrf_protection = true" under the "account-manager" section in trac.ini:

acct_mgr/web_ui.py

@@ -16 +16 @@
 
 from trac import perm, util
 from trac.core import *
-from trac.config import IntOption
+from trac.config import IntOption, BoolOption
 from trac.notification import NotificationSystem, NotifyEmail
-from trac.web import auth
-from trac.web.api import IAuthenticator
-from trac.web.main import IRequestHandler
+from trac.web import auth, IAuthenticator, IRequestFilter, IRequestHandler
 from trac.web.chrome import INavigationContributor, ITemplateProvider
 from trac.util import Markup
 
@@ -337 +335 @@
 
 class LoginModule(auth.LoginModule):
 
-    implements(ITemplateProvider)
+    implements(ITemplateProvider, IRequestFilter)
 
+    disable_csrf_protection = BoolOption('account-manager', 'disable_csrf_protection')
+
+    def pre_process_request(self, req, handler):
+        if handler is self and self.disable_csrf_protection:
+            req.args['__FORM_TOKEN'] = req.form_token
+        return handler
+
+    def post_process_request(self, template, content_type):
+        return (template, content_type)
+
     def authenticate(self, req):
         if req.method == 'POST' and req.path_info.startswith('/login'):
             req.environ['REMOTE_USER'] = self._remote_user(req)

[Noah Kantrowitz]

What you really want is not related to AccountManager. You want to make a new authentication plugin that works with Vulture. Vulture looks somewhat similar to CAS, so you could use the TracCasPlugin as a starting point.

[Matt Good]

Yes, I think I agree with coderanger here. You're welcome to patch your AccountManager if you want, but I don't think it's a good idea to hack around this in the official release.