diff options
| author | James Feist <james.feist@linux.intel.com> | 2020-04-03 20:58:55 +0300 |
|---|---|---|
| committer | James Feist <james.feist@linux.intel.com> | 2020-07-16 04:02:55 +0300 |
| commit | 3909dc82a003893812f598434d6c4558107afa28 (patch) | |
| tree | b5c39fbb7d66ad9134a4f0fcecaa12c9346c5752 /include/webserver_common.hpp | |
| parent | e7808c93f01081ca12e1b4769691b5ae673f9017 (diff) | |
| download | bmcweb-3909dc82a003893812f598434d6c4558107afa28.tar.xz | |
Rework Authorization flow
Currently we parse the whole message before authenticating,
allowing an attacker the ability to upload a large image,
or keep a connection open for the max amount of time easier
than it should be. This moves the authentication to the
earliest point possible, and restricts unauthenticated users
timeouts and max upload sizes. It also makes it so that
unauthenticated users cannot keep the connection alive
forever by refusing to close the connection.
Tested:
- login/logout
- firmware update
- large POST when unauthenticated
- timeouts when unauthenticated
- slowhttptest
Change-Id: Ifa02d8db04eac1821e8950eb85e71634a9e6d265
Signed-off-by: James Feist <james.feist@linux.intel.com>
Diffstat (limited to 'include/webserver_common.hpp')
| -rw-r--r-- | include/webserver_common.hpp | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/include/webserver_common.hpp b/include/webserver_common.hpp index 079b17a96f..d8876d473b 100644 --- a/include/webserver_common.hpp +++ b/include/webserver_common.hpp @@ -15,9 +15,8 @@ */ #pragma once +#include "persistent_data_middleware.hpp" #include "security_headers_middleware.hpp" -#include "token_authorization_middleware.hpp" using CrowApp = crow::App<crow::SecurityHeadersMiddleware, - crow::persistent_data::Middleware, - crow::token_authorization::Middleware>; + crow::persistent_data::Middleware>; |