Mitigate CSRF in profile's SSH Keys #212

ikus060 · ikus060 · commit 9125f5a2d918 · 2022-09-14T11:11:30.000-04:00
diff --git a/README.md b/README.md
@@ -107,6 +107,12 @@ Professional support for Rdiffweb is available by contacting [IKUS Soft](https:/
 
 # Changelog
 
+## 2.4.3 (2022-09-14)
+
+This releases include a security fix. If you are using an earlier version, you should upgrade to this release immediately.
+
+* Mitigate CSRF in profile's SSH Keys #212
+
 ## 2.4.2 (2022-09-12)
 
 This releases include a security fix. If you are using an earlier version, you should upgrade to this release immediately.
diff --git a/rdiffweb/controller/pref_sshkeys.py b/rdiffweb/controller/pref_sshkeys.py
@@ -111,9 +111,10 @@ def render_prefs_panel(self, panelid, action=None, **kwargs):  # @UnusedVariable
 
         # Handle action
         form = SshForm()
-        if action == "add":
+        delete_form = DeleteSshForm()
+        if action == "add" and form.is_submitted():
             self._add_key(action, form)
-        elif action == 'delete':
+        elif action == 'delete' and delete_form.is_submitted():
             self._delete_key(action, DeleteSshForm())
 
         # Get SSH keys if file exists.
diff --git a/rdiffweb/controller/tests/test_page_prefs_ssh.py b/rdiffweb/controller/tests/test_page_prefs_ssh.py
@@ -99,6 +99,18 @@ def test_add_invalid(self):
         self.assertInBody("Invalid SSH key.")
         self.assertEqual(0, len(list(user.authorizedkeys)))
 
+    def test_add_get_method(self):
+        # Given an authenticated user
+        user = self.app.store.get_user('admin')
+        # When querying a page with parameters (HTTP GET)
+        self.getPage(
+            "/prefs/sshkeys?action=add&title=ssh1&key=ssh-rsa+AAAAB3NzaC1yc2EAAAADAQABAAAAgQCzurRNVKwb0ZJCmUgGenoe4vth5gnHxgnzjHSUO8r7IZiouB6DAciiVUAryV6MQm5trwIXNo0QDwFxyX99exIwUlDu3OzhZHKKbb721hCID17AWZMAQIgxQdu6b27s5YgJXsaxXWvEO2lSRVOnVXoCSI7mK5St%2FCJ8O1OdXivNIQ%3D%3D+noname%0D%0A"
+        )
+        # Then page return without error
+        self.assertStatus(200)
+        # Then ssh key is not added
+        self.assertEqual(0, len(list(user.authorizedkeys)))
+
     def test_delete(self):
         # Delete existing keys
         user = self.app.store.get_user('admin')
