[Freeipa-devel] [PATCH] 096 Fixed content type check in login_password

Wed, 29 Feb 2012 07:03:18 -0800

login_password is expecting that request content_type will be 'application/x-www-form-urlencoded'. 

Current check is an equality check of content_type http header.
RFC 3875 defines that content type can contain parameters separated by ';'. For example: when firefox is doing ajax call it sets the request header to 'application/x-www-form-urlencoded; charset=UTF-8' which leads to negative result. 

This patch makes the check more benevolent to allow such values.

Patch is a fix-up for:
https://fedorahosted.org/freeipa/ticket/2095
--
Petr Vobornik

From aabee55ec63b119a5556677508ae4d2e2b9daac4 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <pvobo...@redhat.com>
Date: Wed, 29 Feb 2012 15:25:40 +0100
Subject: [PATCH] Fixed content type check in login_password

login_password is expecting that request content_type will be 'application/x-www-form-urlencoded'.

Current check is an equality check of content_type http header.

RFC 3875 defines that content type can contain parameters separated by ';'. For example: when firefox is doing ajax call it sets the request header to 'application/x-www-form-urlencoded; charset=UTF-8' which leads to negative result.

This patch makes the check more benevolent to allow such values.

Patch is a fixup for:
https://fedorahosted.org/freeipa/ticket/2095
---
 ipaserver/rpcserver.py |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index c383f0482171e264c379aa594568f036feafe915..3ada8b48ff2ed16bf9d935c6a6f87539e2f1d9db 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -894,7 +894,7 @@ class login_password(Backend, KerberosSession, HTTP_Status):
 
         # Get the user and password parameters from the request
         content_type = environ.get('CONTENT_TYPE', '').lower()
-        if content_type != 'application/x-www-form-urlencoded':
+        if not content_type.startswith('application/x-www-form-urlencoded'):
             return self.bad_request(environ, start_response, "Content-Type must be application/x-www-form-urlencoded")
 
         method = environ.get('REQUEST_METHOD', '').upper()
-- 
1.7.7.6


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to