haskell/yesod
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
MaxGabriel-patch-2
yesod/yesod-core/test/YesodCoreTest
History
Evan Rutledge Borden b50ca99566 Deprecate insecure JSON body functions 
`parseJsonBody` and `requireJsonBody` do not require a mime type when
parsing `JSON` content. This leaves them open to CSRF. They are now
deprecated and `insecure` versions are added in their place. Consumers
are now given a proper choice between secure and insecure functions.

There is a potential attack vector in that the browser does not trigger
CORS requests for "simple requests", which includes POST requests that
are form or text content-types. An attacker can craft a form whose body
is valid JSON, and when a user visits attacker.com and submits that
form, it can be submitted to bank.com and bypass CORS.

Checking the content-type is application/json prevents this, because if
the content-type was set to application/json, then the browser would
send a CORS request—a preflight OPTIONS request to the server asking if
the current domain (and some other values) are whitelisted to send
requests to that server. If the server doesn't say attacker.com is
whitelisted, the browser will not send the real request to the server.
2019-01-24 09:12:48 -06:00
..
JsLoaderSites Compile with -Wall -Werror 2017-02-05 12:09:18 +02:00
Auth.hs Compile with -Wall -Werror 2017-02-05 12:09:18 +02:00
Cache.hs Fix test suite compilation on GHC 8.6.3 commercialhaskell/stackage#4319 2019-01-22 18:40:31 +02:00
CleanPath.hs Catch up with Data.Conduit.Combinators 2018-01-10 12:16:31 -08:00
Csrf.hs Default CSRF tokens to the root path "/" 2016-08-16 07:25:41 -07:00
ErrorHandling.hs selectRep chooses first rep if no matches found. 2018-07-19 21:32:02 -05:00
Exceptions.hs Compile with -Wall -Werror 2017-02-05 12:09:18 +02:00
Header.hs Set X-XSS-Protection to 1; mode=block. 2018-08-03 14:17:11 -05:00
InternalRequest.hs Drop mwc-random 2018-01-15 10:18:16 +02:00
JsLoader.hs Compile with -Wall -Werror 2017-02-05 12:09:18 +02:00
Json.hs Deprecate insecure JSON body functions 2019-01-24 09:12:48 -06:00
Links.hs Catch up with Data.Conduit.Combinators 2018-01-10 12:16:31 -08:00
LiteApp.hs LiteApp uses a Writer monad 2013-03-27 08:51:03 +02:00
Media.hs Take hlint suggestions. 2016-06-28 08:28:23 +02:00
MediaData.hs Route attributes/appcache example #518 2013-04-11 17:07:22 +03:00
NoOverloadedStrings.hs Switch to SubHandlerFor 2018-01-24 13:01:26 +02:00
NoOverloadedStringsSub.hs Simplify YesodSubDispatch 2018-01-11 23:13:32 +02:00
RawResponse.hs Add timeouts so stalling is more obvious 2018-06-19 09:52:20 +03:00
Redirect.hs Code review fixes for #1444 2017-09-08 09:00:12 +09:00
Reps.hs selectRep chooses first rep if no matches found. 2018-07-19 21:32:02 -05:00
RequestBodySize.hs Cleanup warnings 2018-01-15 15:09:07 +02:00
Ssl.hs Add laxSameSiteSessions and strictSameSiteSessions 2016-05-01 16:31:01 +01:00
Streaming.hs LiteApp uses a Writer monad 2013-03-27 08:51:03 +02:00
StubLaxSameSite.hs Compile with -Wall -Werror 2017-02-05 12:09:18 +02:00
StubSslOnly.hs Compile with -Wall -Werror 2017-02-05 12:09:18 +02:00
StubStrictSameSite.hs Compile with -Wall -Werror 2017-02-05 12:09:18 +02:00
StubUnsecured.hs Compile with -Wall -Werror 2017-02-05 12:09:18 +02:00
WaiSubsite.hs Compile with -Wall -Werror 2017-02-05 12:09:18 +02:00
Widget.hs Compile with -Wall -Werror 2017-02-05 12:09:18 +02:00
YesodTest.hs Simplified GHandler/GWidget 2013-03-13 10:59:10 +02:00