rhodecode-enterprise-ce Commit - r1817:7df55c97

security: use 404 instead of 403 code on permission decorator to prevent resource discovery attacks.

ergo -

r1817:7df55c97 default

parent child

rhodecode/lib/auth.py

0 +3 -3

             from functools import wraps
             import ipaddress
-            from pyramid.httpexceptions import HTTPForbidden, HTTPFound
+            from pyramid.httpexceptions import HTTPForbidden, HTTPFound, HTTPNotFound
             from pylons.i18n.translation import _
             # NOTE(marcink): this has to be removed only after pyramid migration,
             # replace with _ = request.translate
                                 h.route_path('login', _query={'came_from': came_from}))
                         else:
-                            # redirect with forbidden ret code
+                            # redirect with 404 to prevent resource discovery
-                            raise HTTPForbidden()
+                            raise HTTPNotFound()
                 def check_permissions(self, user):
                     """Dummy function for overriding"""

rhodecode/tests/functional/test_admin_settings.py

0 +3 -3

                         '.panel-heading', 'Licenses of Third Party Packages')
                 def test_forbidden_when_normal_user(self, autologin_regular_user):
-                    self.app.get(self._get_url(), status=403)
+                    self.app.get(self._get_url(), status=404)
             @pytest.mark.usefixtures('app')
                     }[name]
                 def test_forbidden_when_normal_user(self, autologin_regular_user):
-                    self.app.get(self._get_url(), status=403)
+                    self.app.get(self._get_url(), status=404)
                 def test_show_sessions_page(self, autologin_user):
                     response = self.app.get(self._get_url(), status=200)
                     }[name]
                 def test_forbidden_when_normal_user(self, autologin_regular_user):
-                    self.app.get(self._get_url(), status=403)
+                    self.app.get(self._get_url(), status=404)
                 def test_system_info_page(self, autologin_user):
                     response = self.app.get(self._get_url())

rhodecode/tests/functional/test_forks.py

0 +1 -1

                     repo_name = self.REPO
                     self.app.post(
                         url(controller='forks', action='fork_create', repo_name=repo_name),
-                        {'csrf_token': self.csrf_token}, status=403)
+                        {'csrf_token': self.csrf_token}, status=404)
                 def test_index_with_fork(self):
                     self.log_user()

rhodecode/tests/functional/test_integrations.py

0 +1 -1

                 checks if the redirect url is correct.
                 """
-                app.post(url, params={}, status=403) # missing csrf check
+                app.post(url, params={}, status=403)  # missing csrf check
                 response = app.post(url, params={'csrf_token': csrf_token})
                 assert response.status_code == 200
                 assert 'Errors exist' in response.body

General Comments 0

You need to be logged in to leave comments. Login now

No TODOs yet

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages