diff options
author | Joey Hess <joey@kitenet.net> | 2012-07-29 12:12:14 -0400 |
---|---|---|
committer | Joey Hess <joey@kitenet.net> | 2012-07-29 12:12:14 -0400 |
commit | ea05ba893c1e7f56e24115a2641cd517bb3560a5 (patch) | |
tree | e06919814acb7a398bca3bc400f2f19be1f508f8 | |
parent | c2f3e66d8c65e46046f83221996b3a180bd49657 (diff) |
fix the auto token leak on auth error page issue permanantly
-rw-r--r-- | Utility/WebApp.hs | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/Utility/WebApp.hs b/Utility/WebApp.hs index 75e8dde9e..971422e36 100644 --- a/Utility/WebApp.hs +++ b/Utility/WebApp.hs @@ -137,7 +137,11 @@ genRandomToken = do Right (s, _) -> showDigest $ sha512 $ L.fromChunks [s] {- A Yesod isAuthorized method, which checks the auth cgi parameter - - against a token extracted from the Yesod application. -} + - against a token extracted from the Yesod application. + - + - Note that the usual Yesod error page is bypassed on error, to avoid + - possibly leaking the auth token in urls on that page! + -} checkAuthToken :: forall t sub. (t -> T.Text) -> GHandler sub t AuthResult checkAuthToken extractToken = do webapp <- getYesod @@ -145,7 +149,7 @@ checkAuthToken extractToken = do let params = reqGetParams req if lookup "auth" params == Just (extractToken webapp) then return Authorized - else return AuthenticationRequired + else sendResponseStatus unauthorized401 () {- A Yesod joinPath method, which adds an auth cgi parameter to every - url matching a predicate, containing a token extracted from the |