From 92f77c58a44dc7c2504d1cbbc5d384fc2f712167 Mon Sep 17 00:00:00 2001 From: Adrian Moennich Date: Mon, 13 Jul 2015 10:37:52 +0200 Subject: [PATCH] Show warning on POST to RHs without CSRF check Only in debug mode and only for RHs indico.core/indico/modules since we don't really care about legacy RHs. --- indico/MaKaC/webinterface/rh/base.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/indico/MaKaC/webinterface/rh/base.py b/indico/MaKaC/webinterface/rh/base.py index 19e52ab45..57798a35c 100644 --- a/indico/MaKaC/webinterface/rh/base.py +++ b/indico/MaKaC/webinterface/rh/base.py @@ -23,6 +23,7 @@ import pstats import sys import random import StringIO +import warnings from datetime import datetime, timedelta from functools import wraps, partial from urlparse import urljoin @@ -370,6 +371,13 @@ class RH(RequestHandlerBase): msg = _(u"It looks like there was a problem with your current session. Please use your browser's back " u"button, reload the page and try again.") raise BadRequest(msg) + elif not self.CSRF_ENABLED and current_app.debug and request.method != 'GET': + # Warn if CSRF is not enabled for a RH in new code + module = self.__class__.__module__ + if module.startswith('indico.modules.') or module.startswith('indico.core.'): + msg = (u'{} request sent to {} which has no CSRF checks. Set `CSRF_ENABLED = True` in the class to ' + u'enable them.').format(request.method, self.__class__.__name__) + warnings.warn(msg, RuntimeWarning) # legacy csrf check (referer-based): # Check referer for POST requests. We do it here so we can properly use indico's error handling if Config.getInstance().getCSRFLevel() < 3 or request.method != 'POST': -- 2.11.4.GIT