Project

General

Profile

Actions
Copy link

Bug #4968

open

API with SSO access requires some CSRF protection

Added by Dominic Cleal over 10 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Security
Target version:
-
Difficulty:
Triaged:
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

The API can be accessed with our SSO implementations (e.g. REMOTE_USER, mod_auth_kerb), an existing session (#4776, #4895) or the HTTP basic auth "SSO" impl.

When using SSO impls, we should employ some CSRF protection so a user with say, an active Kerberos ticket, can't be attacked to perform API requests using their active SSO.

See https://github.com/theforeman/foreman/pull/1331#issuecomment-39075332 for some background.

Related issues 1 (0 open1 closed)

Related to Foreman - Bug #4895: API should check for the presence of a CSRF token when there is a session userClosedEric Helms03/26/2014Actions
Actions
Copy link

Also available in: Atom PDF