Google Git
Sign in
gerrit / gerrit / 3a6f0779325eb457594185c093a9ca8fea0af789
commit3a6f0779325eb457594185c093a9ca8fea0af789[log] [tgz]
authorBrad Larson <bklarson@gmail.com>Wed Jul 25 11:41:22 2012 -0500
committerShawn O. Pearce <sop@google.com>Tue Aug 14 19:05:21 2012 -0700
treed3833fa07ce56c7b3107bb7e5873433b675a197f
parent513e86debec00d556e360c1296773d5815c20f52 [diff]
Tokenized REST API POST handler

POST requests typically modify server state, and are often vulnerable
to XSRF attacks.  For example, a site admin could be fooled into
clicking a button on a rogue website which causes his browser to run
REST commands against the server.

To prevent against this, REST POST requests should include a token
which is first retrieved by making a GET request to the same URL.
This token allows us to verify that the user visited the Gerrit site
and helps protect against XSRF.

An example use-case of this new API:

 token = $(curl --anyauth -u [user] http://review/a/rest-api | tail -n 1)
 curl --anyauth -u [user] -d $token http://review/a/rest-api

Signed-off-by: Brad Larson <bklarson@gmail.com>
Change-Id: I18f3ad2b6be4df2e5a6fa3262de5a2f4601fccea
12 files changed
tree: d3833fa07ce56c7b3107bb7e5873433b675a197f
  1. contrib/
  2. Documentation/
  3. gerrit-antlr/
  4. gerrit-cache-h2/
  5. gerrit-common/
  6. gerrit-extension-api/
  7. gerrit-gwtdebug/
  8. gerrit-gwtui/
  9. gerrit-httpd/
  10. gerrit-launcher/
  11. gerrit-main/
  12. gerrit-openid/
  13. gerrit-package-plugins/
  14. gerrit-patch-commonsnet/
  15. gerrit-patch-jgit/
  16. gerrit-pgm/
  17. gerrit-plugin-api/
  18. gerrit-plugin-archetype/
  19. gerrit-prettify/
  20. gerrit-reviewdb/
  21. gerrit-server/
  22. gerrit-sshd/
  23. gerrit-util-cli/
  24. gerrit-util-ssl/
  25. gerrit-war/
  26. ReleaseNotes/
  27. tools/
  28. .gitignore
  29. COPYING
  30. INSTALL
  31. pom.xml
  32. SUBMITTING_PATCHES