Bug #4968

API with SSO access requires some CSRF protection

Added by Dominic Cleal over 3 years ago.

Status:New
Priority:Normal
Assigned To:-
Category:Security
Target version:-
Difficulty: Bugzilla link:
Found in release: Pull request:
Story points-
Velocity based estimate-

Description

The API can be accessed with our SSO implementations (e.g. REMOTE_USER, mod_auth_kerb), an existing session (#4776, #4895) or the HTTP basic auth "SSO" impl.

When using SSO impls, we should employ some CSRF protection so a user with say, an active Kerberos ticket, can't be attacked to perform API requests using their active SSO.

See https://github.com/theforeman/foreman/pull/1331#issuecomment-39075332 for some background.


Related issues

Related to Foreman - Bug #4895: API should check for the presence of a CSRF token when th... Closed 03/26/2014

History

#1 Updated by Dominic Cleal over 3 years ago

  • Related to Bug #4895: API should check for the presence of a CSRF token when there is a session user added

Also available in: Atom PDF